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Abstract 

Intent  protection  is  a  model  of  software  obfuscation  which,  among  other  crite¬ 
ria,  prevents  an  adversary  from  understanding  the  program’s  function  for  use  with 
contextual  information.  Relating  this  framework  for  obfuscation  to  malware  detec¬ 
tion,  if  a  malware  detector  can  perfectly  normalize  a  program  P  and  any  obfuscation 
(variant)  of  the  program  O(P),  the  program  is  not  intent  protected.  The  problem  of 
intent  protection  on  programs  can  also  be  modeled  as  intent  protection  on  combina¬ 
tional  logic  circuits.  If  a  malware  detector  can  perfectly  normalize  a  circuit  C  and 
any  obfuscation  (variant)  0(C)  of  the  circuit,  the  circuit  is  not  intent  protected. 

In  this  effort,  the  research  group  set  the  primary  goal  as  determining  if  a  malware 
detector  based  upon  the  mechanisms  of  term  rewriting  theory  can  perfectly  normalize 
circuits  transformed  by  a  sub-circuit  selection  and  replacement  algorithm,  even  when 
the  transformation  algorithm  is  known.  The  research  group  set  the  secondary  goal 
as  relating  this  result  on  circuit  transformations  to  the  realm  of  software  obfuscation. 
The  transformation  rules  of  the  sub-circuit  selection  and  replacement  algorithm  are 
identified  and  modeled  as  rewrite  rules  in  a  term  rewriting  system.  These  rewrite  rules 
are  examined  for  critical  overlaps  which  cannot  be  resolved  by  a  widely  used  com¬ 
pletion  algorithm  known  as  Knuth-Bendix.  The  research  group  performs  an  analysis 
of  the  critical  overlaps  found  within  the  rewrite  rules  and  successfully  relates  these 
results  to  the  instruction-substitution  obfuscations  of  a  software  obfuscator. 
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Sub-circuit  Selection  and  Replacement 


Algorithms  Modeled  as 
Term  Rewriting  Systems 

I.  Introduction 

1.1  Background 

Metamorphic  malware  are  programs  which  contain  two  components:  a  metamor- 
phic  engine  and  a  malicious  payload.  Metamorphic  engines  using  instruction- 
substitution  obfuscations  modify  the  instructions  of  a  malware  during  replication 
causing  new  generations  of  the  same  malware  to  contain  different  segments  of  code. 
Walenstein  et  al.  [14]  provide  several  approaches  malware  detectors  use  to  detect  these 
metamorphic  malware.  One  such  approach  is  to  map  the  instructions  or  syntax  of 
a  program  to  certain  signatures  which  can  be  used  to  detect  a  malware.  However, 
metamorphic  malware  modifies  its  own  code  during  replication  creating  different  sig¬ 
natures.  In  order  for  a  malware  detector  to  detect  all  possible  variants  of  a  malware,  it 
must  contain  all  possible  signatures  matching  what  a  malware  can  become,  a  number 
which  may  quickly  become  unusable.  A  second  approach  given  to  detect  metamorphic 
malware  is  pattern  matching  or  more  general  signatures.  Patterns  may  abstract  out 
specific  syntactical  differences  between  signatures  to  match  larger  classes  of  metamor¬ 
phic  variants.  However,  the  problem  of  creating  patterns  to  match  many  variants  is 
difficult  and  the  number  of  patterns  needed  to  match  all  possible  variants  may  also 
become  unusable. 

Walenstein  et  al.  [14]  offer  a  third  approach  to  malware  detection:  program  nor¬ 
malization.  They  claim  that  program  normalization  removes  unimportant  variations 
between  generations  of  metamorphic  malware,  and  combined  with  pattern  matching, 
may  become  an  effective  means  of  malware  detection.  Lakhotia  et  al.  [6]  developed 
a  “generic”  normalizer  for  C  programs  which,  though  it  could  not  perfectly  nor- 
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malize  malware,  significantly  reduced  the  number  of  variants  of  generic  C  programs. 
Walenstein  et  al.  [14]  then  address  the  following  research  question:  “When  are  perfect 
normalizers  possible?”  They  define  a  restricted  normalization  problem  and  claim  that 
perfect  normalization  is  possible  for  some  malware  when  the  metamorphic  engine  is 
known. 

Intent  protection  as  defined  by  McDonald  and  Yasinsac  [7]  is  a  form  of  software 
obfuscation  which,  among  other  criteria,  prevents  an  adversary  from  understanding 
the  program’s  function  for  use  with  contextual  information.  If  an  adversary  can 
perfectly  normalize  both  a  program  P  and  an  obfuscated  version  of  the  program 
O(P)  to  one  normal  form,  the  adversary  has  identified  0(P )  as  P  and  assuming 
the  adversary  can  understand  the  function  of  P,  the  adversary  also  understands  the 
function  of  O(P).  Therefore,  if  a  malware  detector  can  perfectly  normalize  a  program 
P  and  any  obfuscation  (variant)  0(P)  of  the  program,  the  program  is  not  intent 
protected. 

McDonald  and  Yasinsac  [7]  then  narrow  the  problem  of  intent  protection  to  the 
obfuscation  of  combinational  logic  circuits  and  provide  positive  results  in  the  realm  of 
software  obfuscation  by  modeling  an  instruction-substitution  obfuscation  algorithm  as 
a  sub-circuit  selection  and  replacement  algorithm.  Based  on  the  requirements  of  intent 
protection  and  modeling  software  obfuscation  as  the  problem  of  circuit  obfuscation,  if 
a  malware  detector  can  perfectly  normalize  a  circuit  C  and  any  obfuscation  (variant) 
0(C)  of  the  circuit,  the  circuit  is  not  intent  protected. 

1.2  Research  Goals  and  Hypothesis 

The  primary  goal  of  this  research  effort  is  to  determine  if  a  malware  detector 
based  upon  the  mechanisms  of  term  rewriting  theory  can  perfectly  normalize  circuits 
transformed  by  a  sub-circuit  selection  and  replacement  algorithm  if  the  transformation 
algorithm  is  previously  known.  This  goal  is  met  when  the  transforming  rules  of  a 
sub-circuit  selection  and  replacement  algorithm  are  modeled  as  rewrite  rules  in  term 
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rewriting  theory  and  it  is  determined  if  there  exist  critical  overlaps  within  these  rewrite 
rules  that  cannot  be  resolved  thereby  preventing  this  rule  set  from  converging. 

The  secondary  goal  of  this  research  effort  is  to  determine  the  properties  of  a  sub¬ 
circuit  selection  and  replacement  algorithm  which  prevent  the  rule  set  from  converging 
and  to  determine  their  effectiveness  in  the  realm  of  software  obfuscation.  This  goal  is 
met  when  the  cause  of  critical  overlaps  within  the  rule  set  is  identified  and  related  to 
the  obfuscating  transformations  of  instruction-substitution  algorithms.  We  hypothesis 
and  test  whether  a  malware  detector,  based  upon  the  mechanisms  of  term  rewriting 
theory,  can  perfectly  normalize  circuits  transformed  by  a  sub-circuit  selection  and 
replacement  algorithm,  even  when  the  transformation  algorithm  is  known. 

1.3  Document  Overview 

Chapter  II  provides  an  overview  of  relevant  positive  and  negative  results  in  the 
realm  of  software  obfuscation  as  well  as  malware  detection.  Chapter  III  defines  the 
methodology  used  in  this  research  effort.  Chapter  IV  presents  the  data  collected  as 
a  result  of  exercising  the  experimental  framework  defined  in  Chapter  III  and  gives  us 
foundation  to  answer  the  questions  posed  by  this  research  effort.  Chapter  V  presents 
the  conclusions  of  this  research  result  and  their  significance  as  well  as  future  areas  of 
research. 
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II.  Software  Obfuscation  and  Metamorphic  Malware 

This  chapter  examines  several  positive  and  negative  results  related  to  the  field 
of  software  obfuscation.  Section  2.1  reviews  well-known  impossibility  results  of 
general  obfuscation  based  upon  the  virutal  black-box  and  best-possible  obfuscation 
models.  Section  2.2  summarizes  an  alternative  model  for  obfuscation  known  as  pro¬ 
gram  encryption  based  upon  the  Random  Program  Model.  Section  2.3  discusses  past 
work  on  metrics  and  measures  related  to  entropy  and  randomness.  Section  2.4  relates 
the  fields  of  software  obfuscation  with  malware  detection  highlighting  positive  results 
in  malware  detection  relevant  to  deobfuscation. 

2.1  General  Obfuscation 

Barak  et  al.  [2]  provide  a  negative  result  proving  that  no  2- Turing  Machine 
(2-TM)  or  2-Circuit  obfuscator  exists.  Informally,  they  define  a  obfuscator  O  as  an 
efficient,  probabilistic  “compiler”  which  takes  a  program  P  as  input  and  produces  an 
obfuscated  version  of  the  program  O(P)  as  the  output.  They  claim  that  an  obfuscator 
must  meet  the  following  criteria: 

1.  functionality,  which  requires  that  0(P )  compute  the  same  function  as  P, 

2.  polynomial  slowdown,  which  requires  that  O(P)  is  at  most  polynomially 
slower  than  P, 

3.  virtual  black-box  (VBB)  property,  which  requires  that  any  information 
which  can  be  efficiently  computed  from  O(P)  can  also  be  computed  given  oracle 
access  to  P. 

Barak  et  al.  reach  their  impossibility  result  by  constructing  a  family  F  of 
functions  with  the  property  7r  :  F  — >  0, 1  under  the  following  conditions: 

1.  7r(/)  can  be  efficiently  computed  given  any  program  with  a  function  f  E  F, 

2.  Given  oracle  access  to  a  randomly  selected  function  f  E  F,  no  efficient  algorithm 
can  compute  vr(/)  much  better  than  by  random  guessing. 
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These  conditions  show  that  no  general  obfuscator  (under  the  VBB  security  con¬ 
dition)  exists  for  programs  which  compute  these  functions,  as  the  obfuscator  cannot 
hide  7 r(/).  Therefore  Barak  et  al.  conclude  that  a  different  security  condition,  apart 
from  the  VBB  property,  must  be  presented  in  order  to  construct  a  general  obfuscator. 

In  another  study,  Goldwasser  and  Rothblum  [4]  present  a  different  notion  of 
software  obfuscation  known  as  best-possible  obfuscation.  Best-possible  obfuscation 
guarantees  that  whatever  information  is  leaked  by  an  obfuscated  program  O(P),  the 
same  information  is  also  leaked  by  any  other  program  P  which  computes  the  same 
functionality.  While  this  model  of  obfuscation  provides  no  guarantee  to  hide  any 
specific  information  in  program  P,  it  does  guarantee  that  O(P)  is  the  best  possible 
obfuscation  of  P. 

1.  Indistinguishability  Obfuscation.  An  algorithm  O  which  takes  a  circuit  C 
as  an  input  and  outputs  a  new  circuit  is  said  to  be  a  best-indistinguisability 
obfuscator  for  the  family  C,  if  it  both  preserves  functionality  and  exhibits  a 
polynomial  slowdown  along  with  the  following  property: 

•  Computationally /Statistically /Perfectly  Indistinguishable  Obfus¬ 
cation.  For  large  input  lengths,  for  any  circuit  C\  G  Cn  and  for  any  circuit 
C*2  G  Cn  that  compute  the  same  function  as  C\  and  \C\\  =  | C72 1 ,  0(C\)  and 
0{C2)  are  computationally/statistically/perfectly  indistinguishable. 

2.  Best-Possible  Obfuscation.  An  algorithm  O  which  takes  a  circuit  C  as  an 
input  and  outputs  a  new  circuit  is  said  to  be  a  best-possible  obfuscator  for  the 
family  C .  if  it  both  preserves  functionality  and  exhibits  a  polynomial  slowdown 
along  with  the  following  property: 

•  Computationally /Statistically /Perfectly  Best-Possible  Obfusca¬ 
tion.  For  large  input  lengths,  for  any  polynomial  size  circuit  adversary 
A,  there  exists  a  polynomial  size  simulator  circuit  S  such  that  for  any  cir¬ 
cuit  C\  G  Cn  and  for  any  circuit  C2  G  Cn  that  compute  the  same  function 
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as  Ci  and  \C\\  =  IC2I,  A(0{Ci))  and  S/C^)  are  computationally/statisti- 
cally/perfectly  indistinguishable. 

This  definition  guarantees  that  any  information  an  adversary  A  can  compute 
from  0(Ci)  can  also  be  computed  from  a  simulator  S  on  any  program  C2  of  the  same 
size  and  function. 

Goldwasser  and  Rothblum  further  prove  that  if  O  is  an  efficient  indistinguisha- 
bility  obfuscator  for  a  program  P,  then  it  is  also  an  efficient  best-possible  obfuscator 
for  C.  If  A  is  the  distance  measure  in  the  guarantee  of  the  obfuscator,  then  for  any 
two  circuits  C\  and  C2  of  the  same  size  and  functionality,  A(0(Ci),  S(C2))  <  e,  and 
A(0(C2),S(C2))  <  e  therefore: 


A(0(C1),  0(C2))  <  2e  (2.1) 

Finally,  Goldwasser  and  Rothblum  prove  that  if  the  family  of  3  — CNF  formulas 
can  be  statistically  best-possible  obfuscated,  even  in  non-polynomial  time,  then  there 
is  a  collapse  in  the  polynomial  hierarchy. 

2.2  Program  Encryption 

After  proving  that  general  obfuscators  satisfying  the  functionality,  polynomial 
slowdown,  and  VBB  property  do  not  exist,  Barak  et  al.  refer  to  the  VBB  property 
as  “inherently  flawed” .  McDonald  [9]  considers  the  two  questions  posed  by  Barak  et 
al.  in  determining  whether  an  alternative  security  property  of  obfuscation  exists: 

1.  Are  there  weaker  or  alternative  methods  for  obfuscation  that  provide  meaningful 
results? 

2.  Can  we  construct  obfuscators  for  restricted  but  non-tri vial /interesting  classes 
of  programs? 

Based  upon  these  questions,  [7-9]  provide  an  alternative  model  of  obfuscation 
and  show  that  general  obfuscators  do  exist  in  a  random  program  model  which  are  not 
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subject  to  Barak’s  impossibility  proof.  The  following  definitions  formalize  the  ideas 
of  understandability,  obfuscation,  and  intent  protection  in  this  model. 

Definition  1.  Black-Box  Understandable/Obfuscated  Program  P  —>  X,Y  is 

black-box  understandable  if  and  only  if  given  an  arbitrarily  large  set  of  pairs 
10  =  xt .  y,  such  that  yt  =  P(xi )  and  y3  an  arbitrary  element  of  Y  (not  an 
element  of  10),  an  adversary  can  guess  x3  such  that  y3  =  P(xj)  in  polynomial 
time  on  the  length  of  P  with  probability  >  e. 

Definition  2.  White-Box  Understandable/Obfuscated,  Informal  Program  P 
is  white-box  understandable  if  it  is  understandable  through  static  or  dynamic 
analysis  of  P  or  a  collaboration  of  the  two.  Otherwise,  we  say  P  is  white-box 
obfuscated. 

Definition  3.  Intent  Protected  Program  P  is  intent  protected  if  and  only  if  it  is 

black-box  protected,  white-box  protected,  and  protected  from  any  composition 
of  the  two. 

McDonald  and  James  [7]  summarize  three  properties  which  form  the  basis  of 
the  majority  of  theoretical  and  practical  models  of  obfuscation: 

1.  Semantic  Equivalence.  \/x  G  0,  ln  :  P(x)  =  P'(x ),  where  n  is  the  input  size 
of  P  and  P'  =  0{P). 

2.  Efficiency.  There  is  a  polynomial  l  such  that  for  every  circuit  P,  |0(P)|  < 

K\ p\). 

3.  Security.  A  property  that  expresses  some  notion  of  information  “hiding”  or 
security  guaranteed  by  O(-)  for  every  possible  circuit  under  consideration.  The 
expression  and  measurement  of  the  property  varies  from  model  to  model. 

Considering  these  definitions  and  properties,  [8]  define  a  model  of  obfuscation. 
In  order  to  make  concrete  statements  applicable  to  software  obfuscation,  they  claim 
that  researchers  have  based  general  representations  of  programs  as  either  Turing  ma¬ 
chines  or  circuits.  McDonald  and  Yasinsac  chose  to  define  obfuscation  transformations 
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on  circuits.  [7]  shows  that  they  can  simulate  a  Turing  machine  TM  on  inputs  having 
length  n  with  a  single  n-input  circuit  with  size  0((\TM\  +  n  +  t(n))2)  where  t(n) 
bounds  the  running  time  of  TM  for  inputs  of  length  n.  More  precisely,  they  base 
their  results  on  combinational  logic  circuits  and  subsequent  references  in  this  section 
to  circuits  refer  to  combinational  logic  circuits. 

In  order  for  a  program  P  to  be  intent  protected,  P  must  be  black-box  pro¬ 
tected,  white-box  protected,  and  protected  from  any  composition  of  the  two.  In  order 
to  achieve  a  useful  black-box  transformation,  McDonald  and  Yasinsac  provide  the 
following  two  requirements: 

1.  Change  in  Black-Box  Behavior.  The  functional  behavior  changes  for  some  ma¬ 
jority  of  the  values  in  the  domain  x ,  P(x)  P'(x). 

2.  Recovery  of  Black-Box  Behavior.  In  order  to  recover  the  original  functional 
output  of  P,  some  function  S(-)  must  allow  inversion:  V(x)  :  P(x)  =  S(P'(x)). 

Following  these  two  requirments,  McDonald  and  Yasinsac  provide  two  black¬ 
box  transformations  which  achieve  stronger  guarantees  of  security,  black-box  refine¬ 
ment  and  semantic  transformation.  They  refer  to  black-box  refinement  as  any  of  the 
following  modifications  to  a  circuit: 

1.  Adding  a  random  number  of  input  bits 

2.  Randomly  permuting  the  input  bits 

3.  Introducing  intermediate  gates  which  take  inputs  from  each  of  the  new  gates 
and  some  random  number  of  the  original  input  signals  of  P 

4.  Adding  a  random  number  of  output  bits 

5.  Randomly  permuting  the  output  bits 

McDonald  and  Yasinsac  refer  to  semantic  transformations  as  transformations 
which  compose  a  circuit  with  a  semantically  strong  encryption  algorithm.  The  algo¬ 
rithm  t(p,  k )  =  (pi,  r)  is  a  process  that  creates  a  circuit  p '  so  that  it  has  a  strongly 


one-way  input /output  relationship  with  an  original  circuit  p.  While  there  may  be 
many  possible  semantic  transformations  possible,  they  explore  transformations  which 
compose  the  output  of  the  original  circuit  p  with  the  input  of  a  strong  data  encryption 
circuit.  This  procedure  is  illustrated  in  figure  1. 

Finally,  intent  protection  also  requires  the  most  traditional  form  of  obfuscation, 
white-box  obfuscation.  A  white-box  transformation  w(p ,  k )  =  p'  takes  as  input  a 
circuit  p  and  some  information  embodied  in  a  key  k  producing  a  circuit  p'  which  is 
a  functionally  equivalent  yet  more  confused  variant  of  p.  McDonald  and  Yasinsac 
state  that  while  there  are  possibly  an  unlimited  number  of  white-box  obfuscation 
algorithms,  they  have  implemented  an  algorithm  based  on  sub-circuit  selection  and 
replacement.  The  algorithm  selects  a  small  (1  —  5  gates)  candidate  subcircuit  with  i 
inputs,  o  outputs,  and  computes  its  truth  table  TT.  The  algorithm  then  uniformly 
and  randomly  selects  a  replacement  circuit  from  the  set  of  circuits  with  i  inputs, 
o  outputs,  and  TT  truth  table.  The  algorithm  is  run  iteratively  until  the  security 
property  of  intent  protection  is  satisfied. 

As  Barak  et  al.  have  shown  that  no  general  obfuscator  exists  under  the  VBB 
model,  Yasinsac  and  McDonald  [15]  provide  an  alternative  model  known  as  the  Ran¬ 
dom  Program  Model.  Under  this  model,  a  random  program  oracle  transforms  any 
program  P  into  an  alternate  version  P' .  After  an  adversary  knows  any  n  pairs  of  orig¬ 
inal  and  encrypted  programs  {(Pi,  P{),  (P2,  P IQ,  (Pn-i,  P/_ i),  (Pn,  P'n )}  and  supplies  a 
program  Pn+i,  the  adversary  will  receive  P/+1  which  is  either:  a  random  program 
(Pfl)  or  the  obfuscated  version  of  the  program  0(Pn+1).  The  program  O(P)  provides 
intent  protection  if  and  only  if  the  probability  that  an  adversary  is  able  to  distin¬ 
guish  the  obfuscated  version  (P^+1)  from  a  random  program  (Pr)  is  1  +  e  where  e  is 
negligible. 

2.3  Metrics  Relating  to  Random  Programs 

This  section  will  now  consider  additional  related  works  on  metrics  of  entropy 
and  randomness  related  to  circuits.  Rajgopal  [12]  presents  spatial  entropy  as  an  infor- 
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mation  theoretic  basis  metric.  According  to  [12],  the  information  theoretic  definition 
of  entropy  is  a  measure  of  information  content  in  a  system,  which  he  says  can  be 
viewed  as  the  measure  of  disorder  in  a  system.  He  then  defines  spatial  entropy  as  the 
measure  of  spatial  disorder  in  a  system  which  captures  the  spatial  distance  between 
inputs  and  outputs  in  a  system.  As  a  system  computes  data,  data  is  propogating  from 
the  inputs  to  the  outputs  thus  reducing  the  spatial  disorder  (entropy)  in  the  system. 

Rajgopal  then  defines  spatial  entropy  relating  to  circuits.  As  spatial  entropy 
is  the  communication  effort  required  to  compute  the  circuit,  both  gates  and  wires 
contribute  to  this  effort.  Gates  compute  Boolean  values  and  wires  propogate  these 
values.  He  notes  that  while  it  is  the  wires  that  determine  how  the  bits  travel  across 
the  circuit,  the  gates  determine  the  distribution  of  Boolean  values  and  together  one 
can  measure  the  dynamic  communication  effort  required  in  the  circuit. 

Rajgopal  defines  a  circuit  as  a  directed  weighted  graph  G  =  (V,  E,  L)  where 
each  primary  input,  primary  output,  and  logic  gate  are  represented  by  a  node 
and  each  wire  is  represented  as  an  edge  {y,  w)  G  E  with  a  length  attribute  l(v,w)  €  L 
which  is  the  wire  length.  L  :  E  — >  3?  where  3?  is  the  set  of  real  numbers,  v  is  the 
source  node  and  w  is  the  destination  node  for  each  edge. 

Rajgopal  provides  the  classical  entropy  function  defined  in  information  theory: 


Hfa)  =  y>iog(— ) 

frf  Pi 


(2.2) 


N  is  the  total  number  of  possible  values  in  a  given  system. 

The  following  is  the  equation  to  compute  the  distribution  of  the  Boolean  values 
computed  at  node  w  by  the  binary  entropy  function  if (p^,p°): 


(2.3) 


Rajgopal  now  defines  the  spatial  entropy  S  for  a  circuit: 
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•  The  spatial  entropy  S  at  the  output  node  of  a  single  output  circuit  is  the 
information-distance  product  over  all  the  nodes  in  the  circuit. 


S  =  Y,Y,HV*  kv,w)  (2.4) 

v€V  w£V 

•  Hv  is  the  information  computed  at  the  node  v  over  its  input  probability  distri¬ 
bution  and  l(v,w)  is  the  length  of  the  fanout  edge  (v,  w)  G  E  from  node  v  to  node 

w. 

The  spatial  entropy  of  a  multi-output  circuit  is  defined  as  follows: 


m 

s  =  E  <2-5) 

1=1 

m  is  the  number  of  outputs  and  S0i  is  the  spatial  entropy  at  output  o;. 

In  order  to  compute  spatial  entropy  for  individual  gate  types,  (assuming  unit 
edge  length )  Rajgopal  next  defines  local  spatial  entropy  at  a  gate  node  g  G  V  as: 

5S„  (2.6) 

g’ev 

Hg  is  the  information  computed  at  the  gate  node  g  and  l(g,g')  is  the  length  of 
the  fanout  edge  from  node  g  to  node  g'.  As  Rajgopal  assumed  l(g<g>),  this  equation  is 
now  an  approximation  5Sg  =  Hg. 

For  example,  a  2-input  AND  gate  with  the  1-probabilities  p].,Py  at  its  inputs 
x ,  y  has  a  1-probability  of  p^nd  =  pi  *  pi  as  the  only  event  yielding  an  output  of  1  is 
pi  *Py.  The  local  spatial  entropy  of  a  2-input  AND  gate,  6Sand,  is  the  following: 

Hand  =  Pand  log  +  p\nA  log  (2.7) 

Pand  Pand 
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Finally,  as  a  second  example  a  2- input  XOR  gate  with  the  1-probability  pxor  = 
Py(  1  —  pi)  +  pl(  1  —  ply)  as  there  is  a  one  at  the  outputs  with  inputs  p \  *  p^  or  px  *  Py. 
Therefore,  the  local  spatial  entropy  of  a  2-input  XOR  gate,  SSxor,  is  the  following: 

Hxor  =  P°xor  log  +  Pxor  log  ~r~  (2-8) 

Pxor  Pand 

McDonald  [15]  refers  to  the  properties  of  confusion  and  diffusion  as  being  useful 
measures  of  intent  protection  under  the  Random  Program  Model.  As  with  data 
encryption,  the  program  encryption  techniques  must  confuse  or  scramble  the  original 
program  statements.  Common  implementations  of  confusion  include  selection  and 
replacement  algorithms.  Not  only  must  the  program  statements  be  confused,  but 
they  must  also  be  distributed  across  the  original  program  with  operations  that  move 
confused  code  unpredictably,  known  as  diffision. 

2-4  Metamorphic  Malware  and  Software  Obfuscation 

As  shown  by  Dalla  Preda  et  al.  [10,11],  the  held  of  malware  detection  is  closely 
related  to  the  held  of  software  obfuscation.  Dalla  Preda  discusses  software  piracy, 
malicious  reverse  engineering,  and  software  tampering  as  known  attacks  that  one 
attacker  can  use  to  gain  an  advantage  over  another.  While  software  developers  may 
rely  on  legal  measures  (copyrights,  patents,  and  licenses)  to  protect  their  software, 
software  obfuscation  is  an  attractive  technical  solution. 

Dalla  Preda  defines  an  obfuscator  as  a  program  which  transforms  programs  in  a 
way  that  the  obfuscated  code  is  functionally  equivalent  to  the  original  code  yet  more 
difficult  to  understand.  She  also  states  that  any  attacker  who  has  enough  time,  effort, 
and  determination  can  reverse  engineer  any  application  and  that  the  goal  of  software 
obfuscation  is  to  delay  the  release  of  “confidential  information”  for  a  sufficient  time. 

Dalla  Preda  then  shows  that  advances  made  in  the  held  of  software  obfuscation 
closely  relate  to  the  held  of  malware  detection.  While  there  are  many  different  forms 
of  malware  (viruses,  worms,  trojan  horses,  back-doors,  and  spyware)  there  are  two 
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major  approaches  to  malware  detection,  anomaly  detection  and  misuse  detection. 
Anomaly  detection  assumes  that  behaviours  of  malicious  code  will  differ  from  those 
normally  observed  on  a  system.  While  this  approach  has  the  advantage  that  no  specific 
knowledge  of  a  malware  is  required  to  detect  an  attack,  it  has  the  disadvantage  that 
not  all  abnormal  behaviours  are  malicious.  Conversely,  misuse  detection,  also  known 
as  signature  or  pattern-based  detection,  detects  attacks  by  searching  for  patterns  of 
known  malware.  While  the  disadvantages  of  misuse  detection  include  the  fact  this 
system  is  not  able  to  detect  new  attacks;  the  advantages  are  a  low  false  positive  rate 
and  ease  of  use. 

As  malware  writers  attempt  to  avoid  detection  by  these  systems,  obfuscated 
malware  are  becoming  more  prevalent.  Dalla  Preda  defines  two  forms  of  obfuscated 
malware: 

1.  Polymorphic  malware.  Malware  which  changes  its  syntatic  representation 
by  encrypting  its  payload  and  decrypting  during  execution.  This  form  of  mal¬ 
ware  can  be  detected  by  techniques  such  as  running  it  on  a  virtual  system  and 
observing  its  runtime  behavior.  As  all  forms  of  polymorphic  malware  look  alike 
after  decryption,  misuse  detection  systems  can  be  used. 

2.  Metamorphic  malware.  Malware  which  changes  the  syntax  of  each  succes¬ 
sive  generation  while  leaving  the  semantics  unchanged.  The  important  point  is 
that  obfuscating  transformations  can  easily  defeat  misuse  detection  systems.  In 
order  to  detect  metamorphic  malware,  standard  misuse  detection  systems  would 
have  to  keep  a  signature  for  all  possible  (which  could  be  an  unlimited  number) 
mutations  of  the  malware. 

This  background  provides  us  a  relationship  between  software  obfuscation  and 
metamorphic  malware.  Let  us  define  the  goal  of  software  obfuscation  as  intent  protec¬ 
tion  (described  in  section  2.2).  Let  us  also  define  the  goal  of  metamorphic  malware  as 
detection  avoidance.  If  a  program  is  intent  protected,  that  is  to  say  that  it  is  black¬ 
box  obfuscated,  white-box  obfuscated,  and  a  protected  against  any  composition  of 
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the  two,  then  it  also  satisfies  the  property  of  detection  avoidance.  Conversely,  if  an 
intrusion  detection  system  is  able  to  detect  a  obfuscated  metamorphic  malware,  then 
this  malware  is  not  intent  protected  as  either  black-box  information,  white-box  infor¬ 
mation,  or  information  from  a  combination  of  the  two  was  leaked.  This  observation 
makes  the  study  of  advanced  metamorphic  malware  detectors  interesting  as  it  may 
aid  in  defining  useful  and  secure  metrics  for  software  obfuscation. 

Walenstein  et  al.  [14]  claim  that  using  term  rewriting  theory,  they  are  able 
to  provide  approximate  solutions  to  metamorphic  malware  detection.  The  approach 
the  authors  take  to  detecting  metamorphic  generations  of  malware  is  to  normalize 
the  malware  in  order  to  remove  the  changes  that  defeat  misuse  detection  systems. 
They  argue  that  the  “perfect”  normalizer  would  transform  all  variants  of  a  specific 
malware  to  one  normal  form  and  call  the  problem  of  creating  a  normalizer  for  a  specific 
metamorphic  malware  the  “normalizer  construction  problem”  (NCP). 

Walenstein  et  al.  form  a  version  of  the  NCP,  which  they  term  “NCP=”,  using 
term  rewriting  theory  which  is  restricted  by  the  following  conditions: 

1.  An  accurate  model  of  the  metamorphic  engine  is  represented  as  a  term  rewriting 

system  TRS 

2.  The  metamorphic  engine  makes  only  semantic-preserving  transformations 

They  show  that  while  NCP=  is  undecidable  (no  procedure  can  exist  which 
is  guaranteed  to  halt  and  produce  a  correct  normalizing  transformation),  approxi¬ 
mations  exist  which  are  successful  on  certain  interesting  classes  of  programs.  The 
approximations  which  they  suggest  are:  (1)  using  “incomplete”  rule  sets,  (2)  using  a 
priority  scheme,  and  (3)  ignoring  conditions  in  the  rule  set. 

Previous  to  this  work,  Lakhotia  et  al.  [6]  developed  a  C  program  normalizer 
which  did  not  require  a  model  of  the  metamorphic  engine.  This  normalizer  was  able 
to  remove  transformations  such  as  expression  reshaping  and  constant  propogation, 
as  well  as  impose  variable  renaming,  variable  reordering,  and  instruction  reordering. 
While  their  approach  was  not  able  to  reduce  general  C  programs  to  a  normal  form 
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(due  to  transformations  such  as  equivalent  instruction  substitutions),  they  did  report 
a  large  reduction  in  the  total  number  of  possible  normalized  forms. 

Walenstein  et  al.  then  provide  different  reduction  stratagies  in  order  to  obtain 
a  reduced  form  of  a  metamorphic  program.  If  P  is  the  metamorphic  program,  M 
is  the  metamorphic  engine  of  P,  T  =  mi,  m2,...,  m3  is  the  set  of  transfomations 
performed  upon  P,  then  S(P)  is  the  set  of  all  possible  variants  of  P  that  can  be 
produced  through  the  transformations  of  M.  It  follows  then  that  if  one  knows  M, 
then  one  naive  approach  would  be  to  “reverse”  the  rules  to  produce  a  normalization. 
For  example,  if  one  transformation  is  A  — >  B  (statements  A  are  transformed  into 
statements  B),  then  perhaps  reversing  the  rule  and  applying  B  — >  A  would  correctly 
normalize  the  program.  However,  this  strategy  is  not  sufficient  as  the  system  is  not 
guaranteed  to  follow  the  correct  reversal  of  T  and  a  different  strategy,  i.e.  a  TRS,  is 
needed. 

The  following  is  a  brief  summation  of  the  definitions  of  term  rewriting  theory 
which  Walenstein  et  al.  provide,  though  more  detail  can  be  found  in  [1,14]. 

•  Terms,  subterms,  atomic,  and  ground.  Terms  are  constants,  variables, 
functions,  or  functions  on  terms.  A  term  t  may  contain  other  terms  known  as 
subterms  of  t.  An  atomic  term  does  not  contain  any  subterms.  A  ground  term 
does  not  contain  variables. 

•  Term  rewriting  system  (TRS).  A  TRS  is  a  set  of  rewrite  rules ,  s  — >  t. 
Rewrite  rules  may  be  conditional,  denoted  by  p\R  where  rule  R  is  to  be  applied 
only  when  condition  p  is  true. 

•  Reduction  relation  (— s >t)-  Given  terms  s  and  t,  (—>t)  is  defined  as  follows: 
s  — t  holds  iff  for  some  rewrite  rule  s'  — »  t\  s  has,  as  a  subterm,  an  instance 
of  s'  which  if  replaced  with  it’s  corresponding  instance  of  t',  turns  s  into  t. 

•  Equivalence  relation  (A).  The  — >  relation  on  terms  induces  an  equivalence 
relation  (A)  defined  by  the  reflexive  symmetric  transitive  closure  of  — (A) 
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partitions  the  set  of  terms  into  equivalence  classes.  [£]t  denotes  the  equivalence 
class  of  term  t  under  (A). 

•  Normal  form.  A  term  t  is  in  normal  form  if  it  is  not  related  to  any  other  term 
under  — ¥T.  Norm^x)  is  the  set  of  terms  [x\t  which  are  in  normal  form. 

•  Termination.  A  TRS  T  terminates  if  there  exists  no  infinite  chains  of  reduc¬ 
tions  {ti  — >  t2  — ►  ts...). 

•  Confluence.  If  x,  y,  and  z  are  arbitrary  terms  and  there  is  a  sequence  of  rules 
such  that  x  — >  y  and  x  — >  z,  then  the  system  is  confluent  if  every  such  y  and  z 
are  joinable.  Two  terms  y  and  z  are  joinable  if  there  exists  a  set  of  rewrite  rules 
such  that  y  and  z  reduce  to  some  arbitrary  term  w.  The  problem  of  converting 
an  arbitrary  TRS  into  an  equivalent  one  that  is  confluent  is  undecidable  [14]. 

•  Convergence.  A  TRS  is  convergent  if  it  is  confluent  and  terminating.  A  con¬ 
vergent  TRS  T  can  be  used  to  determine  membership  in  any  of  the  equivalence 
classes  defined  by  A  by  applying  the  rules  of  T  in  any  arbitrary  order  to  any 
given  input  x.  This  process  guarantees  a  unique  normal  form  unique  to  x’s 
equivalence  class. 

Therefore,  if  a  TRS  T  is  convergent,  then  given  any  variant  of  a  program  P,  T 
is  guaranteed  to  extract  a  unique  normal  form  which  will  match  any  other  variant  of 
P. 

As  previously  mentioned,  Walenstein  et  al.  show  NCP=  to  be  undecidable, 
though  they  define  procedures  which  attempt  to  solve  the  problem.  One  procedure 
involves  two  phases:  reorientation  and  completion.  The  reorientation  phase  reverses  a 
rule’s  application  direction  and  assigns  orientations  of  the  rules  such  that  the  reduction 
procedure  is  guaranteed  to  terminate  by  imposing  some  reduction  order  on  terms 
[1,14].  One  frequently  used  reduction  order  used  in  term  rewriting  systems  is  the 
well-founded  length-lexicographic  ordering.  This  reduction  order  reorients  rule  in  M 
whose  right  hand  sides  are  length-lexicographically  greater  than  their  left  hand  sides. 
Unless  there  are  rules  of  the  form  x  — »  x  then  the  resulting  system  Mt  is  terminating 
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because  any  rule  application  decreases  the  length-lexicographic  size  of  the  reduced 
term.  The  reader  is  referred  to  [14]  for  detailed  examples  of  reorientation. 

After  the  procedure  solving  NCP=  reorients  the  TRS,  it  must  then  complete 
the  rule  set.  Walenstein  et  al.  state  again  that  while  completing  a  TRS  is  in  general 
undecidable,  algorithms  exist  which  attempt  the  completion.  They  select  the  Knuth- 
Bendix  (KB)  completion  procedure  to  use  in  their  examples  as  it  is  the  most  prevalent 
method  used  in  term  rewriting  theory.  The  KB  completion  algorithm  essentially  works 
to  resolve  critical  overlaps  by  adding  certain  rules.  A  critical  overlap  occurs  either 
when  the  suffix  of  one  term  x  on  the  right  hand  side  is  identical  to  the  prefix  of 
another  term  y  or  when  one  term  s  on  the  right  hand  side  is  a  prefix  of  another  term 
t.  In  these  cases,  the  KB  completion  algorithm  attempts  to  resolve  this  conflict  by 
adding  rules  which  eventually  drive  the  reduction  to  the  same  term,  independant  of 
which  rule  is  selected.  A  detailed  explanation  of  the  algorithm  can  be  found  in  [5]. 

An  important  observation  that  Walenstein  et  al.  make  is  that  while  a  rneta- 
morphic  engine  which  contained  (non-preserving)  semantic  transformations  may  still 
be  modeled  as  a  TRS,  doing  so  may  make  it  difficult  to  reason  about  the  problem  of 
malware  detection.  They  provide  as  an  example  a  metamorphic  engine  with  a  rule 
P  — ►  B  where  P  is  the  entire  program  and  B  is  a  known  benign  program.  According 
to  this  ruleset,  with  respect  to  [£]m+>  B  is  equivalent  to  the  original  malware  P  since 
there  is  a  rule  which  makes  them  equivalent.  In  the  practical  world,  this  scenario 
would  introduce  false  positives  into  the  TRS.  Conversely,  if  the  rule  set  is  semantic 
preserving,  a  perfect  normalized  form  is  both  complete  and  sound. 

Finally,  as  completing  a  TRS  in  general  is  undecidable,  Walenstein  et  al.  provide 
several  approximations  for  malware  detection  using  a  TRS  T.  The  first  approximation 
considered  is  if  the  completion  procedure  on  T  does  not  complete  or  is  too  large  for 
normalization  purpose,  a  non-completed  (and  non-confluent)  rule  set  may  be  used. 
With  this  approximation,  normalizers  without  a  complete  rule  set  may  not  reduce  all 
variants  of  a  malware  P  to  one  unique  normal  form,  yet  they  will  reduce  all  variants 
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of  P  to  a  set  of  normal  forms.  The  size  of  this  set  depends  on  the  specifics  of  the 
non-completed  rnleset  and  P.  It  is  important  to  note  that  while  variants  of  P  may 
reduce  to  different  normal  forms,  once  again,  no  version  of  another  program  Q  will 
reduce  to  any  of  these  forms. 

2. 5  Background  Summary 

Several  authors  have  published  negative  proofs  for  general  obfuscation.  Barak 
et  al.  prove  that  no  general  obfuscator  exists  which  satisfies  the  VBB  property. 
Goldwasser  and  Rothblum  also  prove  that  no  best  possible  general  obfuscators  exist. 
Conversely,  McDonald  and  Yasinsac  provide  alternate  definitions  of  obfuscation  which 
are  not  subject  to  the  VBB  property.  They  provide  a  model  for  obfuscation  known 
as  the  Random  Program  Model  and  provide  a  test  for  general  obfuscation  within 
that  model.  Several  metrics,  such  as  spatial  entropy,  confusion,  and  diffusion  have 
been  related  to  circuits  and  may  be  useful  in  measuring  circuit  obfuscation.  Dalla 
Preda  relates  the  fields  of  software  obfuscation  and  malware  detection  and  provides 
examples  of  different  forms  of  obfuscated  malware.  Finally,  Walenstein  et  al.  define 
a  malware  detector  based  upon  the  theory  of  term  rewriting  which  may  be  able  to 
perfectly  normalize  some  forms  of  metamorphic  malware. 
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III.  Methodology 


3.1  Problem  Definition 

The  primary  goal  of  this  research  effort  is  to  determine  if  a  malware  detector 
based  upon  the  mechanisms  of  term  rewriting  theory  can  perfectly  normalize 
circuits  transformed  by  a  sub-circuit  selection  and  replacement  algorithm  if  the  trans¬ 
formation  algorithm  is  previously  known.  The  research  group  meets  this  goal  when 
the  transforming  rules  of  a  sub-circuit  selection  and  replacement  algorithm  are  mod¬ 
eled  as  rewrite  rules  in  term  rewriting  theory  and  the  research  group  determines  if 
there  exist  critical  overlaps  within  these  rewrite  rules  that  cannot  be  resolved.  If 
this  reseach  effort  shows  there  exist  rewrite  rules  which  cannot  be  resolved,  this  will 
prevent  a  program  normalizer  from  converging  this  rule  set. 

The  secondary  goal  of  this  research  effort  is  to  determine  the  properties  of 
a  sub-circuit  selection  and  replacement  algorithm  which  prevent  the  rule  set  from 
converging  and  to  relate  their  effectiveness  to  the  realm  of  software  obfuscation.  The 
research  group  meets  this  goal  when  the  cause  of  critical  overlaps  within  the  rule  set 
is  identified  and  related  to  the  obfuscating  transformations  of  instruction-substitution 
algorithms. 

3.2  Approach 

The  approach  this  research  group  used  to  accomplish  the  primary  goal  is  to 
model  the  sub-circuit  selection  algorithm  as  a  malware  detector  based  on  a  term 
rewriting  system  TRS  and  determine  if  there  exist  any  critical  overlaps  within  the 
transforming  rules  modeled  as  a  rule  set.  A  critical  overlap  occurs  when  the  prefix 
of  one  rewrite  rule  in  the  TRS  matches  the  suffix  of  another  rule,  or  when  one  term 
in  a  rewrite  rule  is  a  subterm  of  another  rewrite  rule.  If  critical  overlaps  do  exist, 
then  the  next  step  is  to  determine  if  a  completion  procedure  is  able  to  resolve  the 
critical  overlaps,  creating  a  convergent  rule  set.  As  the  problem  of  completing  a  TRS  is 
undecidable  in  the  general  case  [14] ,  attempts  to  complete  rule  sets  are  not  guaranteed 
to  terminate.  If  the  completion  procedure  is  shown  to  produce  a  cycle,  preventing 
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termination  of  the  algorithm,  then  it  is  shown  that  the  rule  set  is  non-convergent  and 
therefore  the  transforming  rules  of  the  sub-circuit  selection  and  replacement  algorithm 
cannot  be  normalized  using  that  completion  procedure. 

The  approach  used  to  accomplish  the  secondary  goal  is  to  utilize  the  malware  de¬ 
tector  modeling  the  sub-circuit  selection  and  replacement  algorithm  in  term  rewriting 
theory  and  examine  the  factors  contributing  to  the  number  of  critical  overlaps  within 
the  rule  set.  The  approach  is  to  then  determine  the  relationship  between  rewrite 
rules  utilized  by  a  TRS  and  equivalent  command  substitution  utilized  by  a  software 
obfuscator  and  to  draw  relevant  conclusions  in  the  field  of  software  obfuscation. 

3.3  System  Boundaries 

To  meet  the  goals  of  this  research  effort,  the  research  group  built  the  Circuit 
Transformation  Analysis  System  CTAS.  As  shown  in  Figure  3.1,  this  system  takes 
the  following  as  inputs: 

•  Circuit  Generation  Engine  CGE.  An  engine  capable  of  producing  circuits 
with  I  inputs,  O  outputs,  and  G  gates  which  can  be  used  by  a  sub-circuit 
selection  and  replacement  algorithm. 

•  Number  of  selected  gates.  The  number  of  selected  gates  Nsg  used  by  the 
sub-circuit  selection  and  replacement  algorithm  to  create  transformation  rules. 

•  Number  of  returned  gates.  The  number  of  returned  gates  Nrg  used  by  the 
sub-circuit  selection  and  replacement  algorithm  to  create  transformation  rules. 

Also  shown  in  Figure  3.1,  the  CTAS  provides  the  following  two  outputs: 

•  Number  of  Rewrite  Rules.  The  number  Np>j->  of  rewrite  rules  found  within 
the  rule  sets  of  the  CGE. 

•  Number  of  Critical  Overlaps.  The  number  Nco  of  critical  overlaps  found 
within  the  rewrite  rules. 
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Circuit  Generation 
Engine  CGE 


#  Rewrite  Rules  NRR 


#  Critical  Overlaps  Nco 

Figure  3.1:  Circuit  Transformation  Analysis  System 

The  CGE  is  a  input  of  the  sub-circuit  selection  and  replacement  algorithm.  As 
shown  in  Figure  3.2,  the  CGE  takes  the  following  inputs: 

•  Number  of  inputs.  The  number  of  inputs  /  the  generated  circuits  will  contain. 
This  input  guarantees  that  when  the  CGE  is  utilized  in  a  sub-circuit  selection 
and  replacement  algorithm,  the  replacement  circuits  the  CGE  produces  will 
contain  the  exact  number  of  inputs  necessary  to  properly  replace  the  selected 
sub-circuit. 

•  Number  of  outputs.  The  number  of  outputs  O  the  generated  circuits  will 
contain.  This  input  guarantees  that  when  the  CGE  is  utilized  in  a  sub-circuit 
selection  and  replacement  algorithm,  the  replacement  circuits  the  CGE  pro¬ 
duces  will  contain  the  exact  number  of  outputs  necessary  to  properly  replace 
the  selected  sub-circuit. 

•  Number  of  gates.  The  number  of  gates  G  the  generated  circuits  will  contain. 
This  input  guarantees  that  the  CGE  will  only  produce  sub-circuits  which  contain 
G  gates. 

As  shown  in  Figure  3.2,  the  CGE  provides  the  following  as  an  output: 

•  List  of  circuits.  This  is  a  list  of  circuits  L  with  /  number  of  inputs,  O  number 
of  outputs,  and  G  number  of  gates. 

It  is  important  to  note  that  while  all  sub-circuits  generated  by  the  CGE  contain 
I  inputs,  not  all  sub-circuits  utilize  each  of  the  /  inputs.  If  these  types  of  circuits  are 
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Figure  3.2:  Circuit  Generation  Engine 


Table  3.1:  The  signature  of  this  truth  table  is  the  value  of  the  output  column  0\ . 


h 

h 

Or 

0 

0 

0 

0 

1 

0 

1 

0 

0 

1 

1 

1 

then  returned  as  replacements  in  a  sub-circuit  selection  and  replacement  algorithm, 
it  may  introduce  intermediate  gates  whose  output  is  neither  an  output  of  the  circuit 
nor  an  input  of  any  gate,  otherwise  known  as  a  dangling  gate. 

A  sub-circuit  selection  and  replacement  algorithm  may  use  a  CGE  to  generate 
replacement  sub-circuits,  which  either  preserve  or  transform  semantics,  for  selected 
sub-circuits.  If  a  sub-circuit  selection  and  replacement  algorithm  selects  sub-circuits 
containing  G\  gates  and  replaces  them  with  sub-circuits  containing  gates,  the 
sub-circuit  selection  and  replacement  algorithm  will  determine  the  input  parameters 
/  and  O  of  the  CGE  based  upon  the  number  of  inputs  and  outputs  of  the  selected 
sub-circuit  and  it  will  initialize  the  input  parameter  G  of  the  CGE  to  the  value  G 2. 
The  CGE  will  then  return  the  list  of  sub-circuits  L  which  contain  /  inputs,  O  outputs, 
and  G2  gates.  The  sub-circuit  selection  and  replacement  algorithm  can  then  choose  a 
replacement  sub-circuit  from  L.  If  the  sub-circuit  selection  and  replacement  algorithm 
only  considers  semantic  preserving  transformations,  then  the  algorithm  must  choose 
a  replacement  from  L  which  contains  the  same  signature,  or  output  values,  as  the 
selected  circuit. 
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3.4  Evaluation  Technique 

3-4-1  Enumerate  Transformation  Rules.  The  CTAS  provides  results  to  meet 
the  goals  of  this  research  effort  by  performing  measurements  on  a  CGE  used  by  a  sub¬ 
circuit  selection  algorithm.  In  order  to  meet  the  first  research  goal,  the  CTAS  first 
determines  the  total  number  of  critical  overlaps  between  rewrite  rules  in  a  malware 
detector  using  the  transformation  rules  of  a  sub-circuit  selection  and  replacement 
algorithm  in  each  iteration. 

In  order  to  accomplish  this  first  step,  the  CTAS  enumerates  all  possible  trans¬ 
forming  rules  a  sub-circuit,  selection  algorithm  using  a  CGE  may  apply  to  a  circuit. 
In  this  research  effort,  two  sets  of  transformation  rules  are  evaluated.  During  the  first 
iteration,  the  CTAS  examines  all  possible  transformation  rules  that  a  sub-circuit  se¬ 
lection  and  replacement  algorithm  may  contain  when  selecting  sub-circuits  containing 
1  gate  and  replacing  them  with  sub-circuits  containing  2  gates.  During  the  second 
iteration,  the  CTAS  examines  all  possible  transformation  rules  when  selecting  sub¬ 
circuits  containing  2  gates  and  replacing  them  with  sub-circuits  containing  3  gates. 

In  order  to  enumerate  all  possible  transformation  rules  during  each  iteration, 
the  CTAS  determines  the  maximum  number  of  possible  unique  inputs  /  and  outputs 
O  when  selecting  Nsg  two-input  gates.  The  maximum  number  of  possible  inputs  of 
a  selected  sub-circuit  with  N$g  is  the  following: 

Ni  =  2  *  Nsg  (3.1) 

For  example,  the  CTAS  determines  the  maximum  number  of  inputs  a  sub-circuit 
containing  3  two-input  gates  is  6.  The  maximum  number  of  possible  unique  outputs 
of  a  selected  sub-circuit  with  Nsg  is  the  following: 

A o  =  NSg  (3.2) 
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For  example,  the  maximum  number  of  outputs  a  sub-circuit  containing  2  gates 

is  2. 

As  previously  stated,  the  research  group  exerices  the  CTAS  twice.  During  both 
executions,  the  CGE  input  remains  the  same  and  the  /  and  the  O  inputs  change. 
During  a  single  execution,  the  CTAS  iteratively  executes  the  CGE  with  the  input 
parameter  /  ranging  from  1  to  A/,  the  output  parameter  O  ranging  from  1  to  No, 
and  the  gates  parameter  G  set  to  both  N$g  and  Nrg-  During  each  iteration,  the 
CTAS  stores  two  lists  of  circuits.  The  first  list,  the  list  of  selected  gates  Lg,  is  the  list 
of  gates  generated  by  the  CGE  which  contain  Nrg  gates.  The  second  list,  the  list  of 
replacement  gates  Lr,  is  the  list  of  gates  generated  by  the  CGE  which  contain  Nrg 
gates.  Each  circuit  is  stored  with  its  signature  S  and  the  circuits  stored  in  the  list  of 
selected  gates  L$  are  also  stored  with  a  boolean  value  B,  indicating  the  ability  of  a 
circuit  to  be  selected  within  that  circuit  family. 

The  CTAS  sets  the  value  B  to  true  when  the  circuit  utilizes  each  of  its  inputs 
and  the  circuit  is  of  size  NSg',  the  CTAS  sets  B  to  false  otherwise.  It  is  possible  for 
the  CGE  to  return  circuits  which  do  not  use  all  of  their  possible  inputs.  These  circuits 
are  not  valid  sub-circuits  which  could  be  selected  within  the  i-o-g  family  of  circuits. 
It  is  necessary  for  the  CTAS  to  determine  this  boolean  value  in  order  to  determine 
the  set  of  transformation  rules. 

After  the  CTAS  creates  the  lists  of  selected  and  replacement  circuits  containing 
all  possible  circuits  with  up  to  Nj  inputs  and  No  outputs,  and  Nrg  and  Nrg  gates, 
their  signatures,  and  a  boolean  value  indicating  the  ability  to  be  selected,  the  CTAS 
is  then  able  to  create  the  list  of  transformations  rules  Lrr-  A  transformation  rule  R 
contains  two  variables:  a  circuit  which  can  be  selected  Cs  and  a  replacement  circuit 
Cr.  For  each  circuit  Ci  in  the  selected  circuit  list  Lr  which  can  be  selected  (B  is  set 
to  true),  the  CTAS  creates  a  rule  for  each  circuit  C3  in  the  replacement  circuit  list 
Lr  where  the  signatures  of  Ci  and  Cj  are  equal,  such  that  the  selected  circuit  Cs  is 


24 


Table  3.2:  An  example  of  a  transformation  rule  in  which  the  circuit  Cs  can  be 

transformed  to  the  circuit  Cr. _ 


Selected  Circuit  C$ 

Replacement  Circuit  Cr 

0  =  AND (-1 ,  -2) 

0  =  AND (-1 ,  -2) 

1  =  AND(0,  0) 

Table  3.3:  An  example  of  a  reduction  relation  in  which  the  circuit  Zj  can  be  rewritten 


as  the  circuit  r*  in  a  T 

US. 

Rule 

Label 

Condition 

k  — >  n 

Reorient? 

Mi 

0  =  ANDC-l,  -2)  0  =  AND (-1 ,  -2) 

1  =  AND(0,  0) 

y 

Ci  and  the  replacement  circuit  Cr  is  C3.  The  CTAS  then  adds  each  of  these  rules  to 
the  list  of  transformation  rules  Ltr. 

The  list  of  transformation  rules  Ltr  is  now  the  complete  list  of  semantic- 
preserving  transformation  rules  possible  which  can  be  used  in  a  sub-circuit  selection 
and  replacement  algorithm  using  the  CGE  provided  to  the  CTAS.  Once  this  list  is 
created,  the  first  step  of  accomplishing  the  first  goal  of  this  research  effort  is  accom¬ 
plished. 

3.4.2  Model  Transformation  Rules  as  a  TRS.  The  second  step  of  accom¬ 
plishing  the  goals  of  this  research  is  to  model  the  transformation  rules  generated  by 
a  sub-circuit  selection  and  replacement  algorithm  as  a  TRS.  In  order  to  accomplish 
this  step,  the  transformation  rules  must  be  represented  as  rewrite  rules  within  a  TRS. 
Table  5  gives  an  example  of  a  transformation  rule  with  a  1  gate  circuit  being  replaced 
by  a  functionally  equivalent  2  gate  circuit.  The  transformation  rule  from  figure  5  can 
then  be  represented  as  a  rewrite  rules  described  in  [14]  as  shown  in  figure  6. 

As  displayed  in  figure  6,  the  transformation  rule  of  figure  5  maps  into  a  rewrite 
rule  of  a  term  rewriting  system.  More  specifically,  if ,  J2,  0 1,  and  1  are  equivalent  to 
variables,  and  both  =  and  AND()  are  equivalent  to  functions  on  terms.  The  Label  in  a 
rewrite  rule  is  simply  a  unique  identifier  for  each  transformation  rule.  The  Condition 
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for  each  rewrite  rule  of  a  sub-circuit,  selection  and  replacement  algorithm  is  always 
empty  because  there  are  no  conditions  checked  (such  as  checking  for  live  registers) 
when  substituting  equivalent  sub-circuits.  And  finally,  Reorient  is  set  to  yes  if  the 
number  of  gates  on  the  left  hand  side  (selectable  gates)  is  less  than  the  number  of  gates 
on  the  right  hand  side  and  it  is  set  to  no  otherwise.  As  each  transformation  rule  can 
be  represented  as  a  rewrite  rule,  once  the  CTAS  has  created  the  list  of  transfomation 
rules  Ltr,  it  can  then  view  these  transformation  rules  as  a  set  of  rewrite  rules  and 
the  second  step  is  complete. 

3-4-3  Reversing  the  Rule  Set.  The  third  step  in  determining  if  the  rule 
set  can  be  normalized  is  to  create  a  malware  detector  M*  based  upon  the  reoriented 
(reversed)  rules  of  LR.  Rules  can  be  reoriented  by  reversing  the  application  direc¬ 
tion.  In  the  original  rule  set,  terms  on  the  left  hand  side  (the  sub-circuits  which 
could  be  selected)  could  be  rewritten  as  terms  on  the  right  hand  side  (replacement 
circuits).  In  the  reoriented  rule  set,  M*,  terms  on  the  right  hand  side  can  be  rewritten 
as  terms  on  the  left  hand  side,  thereby  reversing  the  sub-circuit  selection  and  replace¬ 
ment  transformations.  This  step  is  trivially  accomplished  by  acknowledging  that  the 
replacement  sub-circuits  CR  now  function  as  circuits  which  can  be  selected,  and  the 
selected  sub-circuits  now  function  as  sub-circuits  which  can  be  replacements;  thereby 
reversing  the  rule  set. 

3-4-4  Counting  Critical  Overlaps.  For  the  fourth  step  to  accomplish  the 
goals  of  this  research  effort,  the  research  group  determines  if  there  exist  any  critical 
overlaps  as  described  in  section  2.4.  According  to  [14],  a  critical  overlap  occurs  when 
the  prefix  of  a  rule  x  in  the  replacement  sub-circuits  matches  the  suffix  of  a  rule  y 
in  the  replacement  circuits  or  when  the  suffix  of  a  rule  s  in  the  replacement  circuits 
matches  the  prefix  of  a  rule  t  in  the  replacement  circuits. 

In  order  to  determine  the  number  of  critical  overlaps,  the  CTAS  takes  the  prefix 
of  each  replacement  circuit  Cr  within  the  list  of  transformation  rules  Ltr  and  records 
the  replacement  circuits,  whose  suffixes  match  the  prefix,  within  a  list  of  conflicting 
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rules  Lc ■  The  prefix  of  a  circuit  represented  as  term  in  term  rewriting  theory  is  the 
first  gate  listed  within  that  circuit.  The  suffix  of  a  circuit  represented  as  a  term  is  the 
last  gate  of  the  circuit.  The  prefix  and  suffix  match  if  the  terms  are  equivalent.  The 
fourth  step  is  accomplished  once  the  CTAS  has  created  a  list  of  conflicting  rules  Lc - 

3-4-5  Completing  the  Rule  Set.  If  the  CTAS  determines  at  this  point  that 
there  are  no  critical  overlaps,  then  the  rule  set  is  convergent  and  a  perfect  normal- 
izer  for  the  sub-circuit  selection  and  replacement  algorithm  exists.  If  the  CTAS  does 
contain  critical  overlaps,  then  the  rule  set  is  not  convergent  and  a  perfect  normalizer 
does  not  yet  exist.  However,  completion  procedures,  such  as  the  widely  used  Knuth 
Bendix  completion  procedure,  are  algorithms  which  attempt  to  resolve  critical  over¬ 
laps  by  adding  additional  rules  which  may  cause  a  TRS  to  become  convergent.  If 
the  rule  set  can  be  completed  by  a  completion  procedure,  then  the  system  is  conver¬ 
gent  and  a  perfect  normalizer  for  the  sub-circuit  selection  and  replacement  algorithm 
exists. 

According  to  [14]  the  problem  of  completing  a  TRS  is  in  general  undecidable 
and  is  not  guaranteed  to  terminate.  By  adding  additional  rules  to  Ltr  to  resolve 
critical  overlaps,  a  procedure  may  be  creating  additional  critical  overlaps  in  Cr.  In 
some  cases,  a  completion  procedure  enters  into  a  cycle,  preventing  the  procedure  from 
converging  the  rule  set. 

However,  this  research  group  notes  that  even  if  one  completion  procedure,  such 
as  the  Knuth-Bendix  completion  procedure,  is  unable  to  complete  the  rule  set,  this 
does  not  imply  that  no  completion  procedure  is  able  to  complete  the  rule  set.  It  is 
possible  to  complete  rule  sets  through  several  different  methods,  even  adding  rules  ad- 
hoc.  It  is  not  correct  to  assume  that  the  failure  of  one  completion  procedure  implies 
that  a  rule  set  cannot  be  completed  by  any  procedure,  though  it  may  be  reasonable 
to  discuss  the  complexity  of  such  other  algorithms. 

The  CTAS  accomplishes  the  first  goal  by  counting  the  set  of  critical  overlaps 
which  exist  after  a  completion  procedure  terminates  or  enters  into  a  cycle.  If  the 
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procedure  terminates,  then  there  are  no  critical  overlaps  remaining  within  the  rule 
set  Mt ,  therefore  Mt  is  convergent  and  a  malware  detector  using  the  set  of  rules  found 
within  M4  is  able  to  perfectly  normalize  any  circuit  C  and  any  obfuscated  form  of  the 
circuit  0(C)  to  one  normal  form  thereby  discovering  the  identity  of  the  circuit. 

Conversely,  if  the  completion  procedure  enters  into  a  cycle  and  fails  to  termi¬ 
nate,  then  the  rule  set  is  non- convergent  and  a  perfect  normalizer  for  the  sub-circuit 
selection  and  replacement  algorithm  does  not  yet  exist.  However,  it  is  important  to 
realize  that  another  completion  procedure  may  exist  which  can  complete  the  rule  set. 
In  this  case,  it  is  necessary  to  determine  the  cost  of  other  completion  procedures  which 
may  terminate  to  determine  their  effectiveness. 

3. 5  Methodology  Summary 

In  this  effort,  the  research  group  set  the  primary  goal  as  determining  if  a  mal¬ 
ware  detector  based  upon  the  mechanisms  of  term  rewriting  theory  can  perfectly 
normalize  circuits  transformed  by  a  sub-circuit  selection  and  replacement  algorithm  if 
the  transformation  algorithm  is  previously  known.  The  secondary  goal  is  to  determine 
the  properties  of  a  sub-circuit  selection  and  replacement  algorithm  which  prevent  the 
rule  set  from  converging  and  to  determine  their  effectiveness  in  the  realm  of  software 
obfuscation. 

The  approach  is  to  model  the  sub-circuit  selection  and  replacement  algorithm 
in  term  rewriting  theory  and  determine  if  there  are  irresolvable  critical  overlaps  which 
prevent  the  transformation  rule  set  from  converging.  If  the  transformation  rule  set 
is  non-converging,  then  the  causes  should  be  identified  and  related  to  the  realm  of 
software  obfuscation. 

The  Circuit  Transformation  Analysis  System  is  the  system  built  to  accomplish 
the  goals  of  this  research  interest.  The  CTAS  takes  the  Circuit  Generation  Engine  as 
an  input  and  computes  the  transformation  rule  set.  The  CTAS  then  models  this  rule 
set  as  a  set  of  rewrite  rules  in  a  term  rewriting  system  and  determines  if  there  exist 


any  critical  overlaps.  If  there  exist  irresolvable  critical  overlaps  which  prevent  the 
transformation  set  from  converging,  the  CTAS  provides  the  total  number  of  critical 
overlaps.  The  causes  of  these  critical  overlaps  should  be  identified  and  related  to  the 
realm  of  software  obfuscation. 
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IV.  Analysis  and  Results 


4-1  Chapter  Overview 

In  this  chapter,  we  present  and  interpret  the  results  of  the  research  effort  outlined 
in  Chapter  III.  As  a  primary  goal  of  this  research  effort,  this  research  group  deter¬ 
mines  if  a  malware  detector  based  upon  the  mechanisms  of  term  rewriting  theory  can 
perfectly  normalize  circuits  transformed  by  a  sub-circuit  selection  and  replacement 
algorithm.  To  fulfill  the  secondary  goal  of  this  research  effort,  this  reserach  group 
determines  the  properties  of  a  sub-circuit  selection  and  replacement  algorithm  which 
prevent  the  rule  set  from  converging  and  determine  their  effectiveness  in  software  ob¬ 
fuscation.  The  research  group  represents  the  data  of  this  experiment  in  tabular  and 
graph  form  and  interprets  the  data  to  accomplish  the  research  goals. 

4-2  Capabilities  of  the  CGE 

During  the  experiments,  the  CTAS  executes  the  CGE  with  the  number  of  inputs 
/,  the  number  of  outputs  O,  and  the  number  of  gates  G.  Unless  otherwise  stated,  all 
circuits  generated  by  the  CGE  are  created  from  the  six  gate  basis  =  {AND,  NAND, 
NOR,  NXOR,  OR,  XOR}.  This  chapter  contains  data  on  the  circuit  families  being 
enumerated  in  this  experiment.  However,  Appendix  B  provides  tables  which  contain 
the  cardinality  of  each  circuit  family  <5/_o-g  with  up  to  ten  inputs,  five  outputs,  and 
eight  gates. 

4-3  Results  of  Experiments  and  Literature  Comparison 

4-3.1  1  Gate  Selection  with  2  Gate  Replacement.  During  the  first  execution 

of  the  CTAS,  as  outlined  in  Chapter  III,  the  research  group  sets  the  number  of  selected 
gates  Nsg  to  1  and  the  number  of  returned  gates  Nrg  is  set  to  2.  This  will  allow 
the  CTAS  to  enumerate  all  possible  transformation  rules  utilized  by  a  sub-circuit 
selection  and  replacement  algorithm  selecting  sub-circuits  containing  one  gate  and 
replacing  them  with  functionally  equivalent  sub-circuits  containing  two  gates. 
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Table  4.1:  The  count  of  all  sub-circuits  which  are  able  to  be  used  by  a  sub-circuit 
selection  and  replacement  algorithm  selecting  sub-circuits  containing  1  gate  and  re¬ 
placing  them  with  sub-circuits  containing  2  gates. 


1  Gate 

2  Gates 

1  Input  -  1  Output 

6 

72 

2  Inputs  -  1  Output 

6 

324 

Subtotals 

12 

396 
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Figure  4.1:  Number  of  Circuits  (1  Gate  Selection  and  2  Gate  Replacement) 

In  order  to  accomplish  the  first  goal  of  the  research  effort,  to  determine  if  a 
malware  detector  can  perfectly  normalize  the  transformation  rules  of  a  sub-circuit 
selection  and  replacement  algorithm  which  selects  1  gate  and  replaces  it  with  2  func¬ 
tionally  equivalent  gates,  the  CTAS  first  enumerates  two  lists.  The  first  list  Ls  is 
the  list  of  all  possible  1  gate  sub-circuits  which  can  be  selected  within  any  circuit. 
The  second  list  Lr  is  the  list  of  all  possible  2  gate  sub-circuits  which  can  be  used 
for  replacements.  As  shown  in  Table  4.1,  the  CTAS  enumerates  the  list  Ls  of  all 
possible  sub-circuits,  which  can  be  selected  within  any  circuit,  containing  only  1  gate 
and  generates  12  unique  sub-circuits.  Also  shown  in  Table  4.1,  the  CTAS  enumerates 
the  list  Lr  of  all  possible  sub-circuits  containing  2  gates  and  generates  396  possible 
replacements.  Figure  4.1  provides  a  plot  of  these  data. 
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Table  4.2:  The  count  of  all  transformation  rules  possible  in  a  sub-circuit  selection 
and  replacement  algorithm  selecting  sub-circuits  containing  1  gate  and  replacing  them 
with  sub-circuits  containing  2  gates. 


1  Gate  to  2  Gates 

1  Input  -  1  Output 

104 

2  Inputs  -  1  Output 

72 

Total 

176 

Figure  4.2:  Number  of  Transformation  Rules(l  Gate  Selection  and  2  Gate  Re¬ 

placement) 

To  accomplish  the  next  step  of  the  primary  research  goal,  the  research  group  de¬ 
termines  all  possible  transformation  rules  for  a  sub-circuit  selection  and  replacement 
algorithm  selecting  sub-circuits  containing  1  gate  and  replacing  them  with  sub-circuits 
containing  2  gates.  As  shown  in  Table  4.2,  the  CTAS  enumerates  all  possible  trans¬ 
formation  rules  from  sub-circuits  containing  1  gate  to  sub-circuits  containing  2  gates 
and  generates  a  total  of  176  rules  with  a  majority  coming  from  the  circuit  family  <5i_i. 
Figure  4.2  provides  a  plot  of  this  data. 

The  research  group  represents  all  176  transformation  rules  generated  by  the 
CTAS  as  rewrite  rules  in  term  rewriting  theory.  Table  4.3  provides  a  subset  of  the 
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Table  4.3:  A  subset  of  the  reduction  relations  used  by  a  sub-circuit  selection  and 
replacement  algorithm  selecting  sub-circuits  containing  1  gate  and  replacing  them 
with  sub-circuits  containing  2  gates. 


Rule 

Label 

Condition 

k  *  T  i 

Reorient? 

m2 

0  =  ANDC-l,  -1)  ->  0  =  N0RC-1,  -1) 

1  =  NAND(0,  0) 

y 

m3 

0  =  AND(-1,  -1)  ->  0  =  ANDC-l,  -1) 

1  =  ANDC-l,  0) 

y 

m4 

0  =  ANDC-l,  -1)  ->  0  =  NANDC-l,  -1) 

1  =  NORCO,  0) 

y 

Table  4.4:  The  number  of  1  gate  sub-circuits  which  can  be  replaced  by  functionally 
equivalent  2  gate  sub-circuits. 


Partic.  Circuits 

Total  Circuits 

Percentage 

1  Input  -  1  Output 

6 

6 

100.00% 

2  Inputs  -  1  Output 

6 

6 

100.00% 

Total 

12 

12 

100.00% 

transformation  rules  displayed  as  rewrite  rules.  Appendix  A  contains  the  full  list  of 
all  176  rewrite  rules. 

The  left-hand  side  of  these  reduction  relations  include  the  12  sub-circuits  as 
shown  in  Table  4.1.  Table  4.4  provides  interesting  results  on  these  left-hand  sides.  As 
shown,  all  12  sub-circuits  participate  in  reduction  relations.  That  is  to  say  that  all  12 
sub-circuits  containing  only  1  gate  can  be  replaced  by  functionally  equivalent  2  gate 
sub-circuits.  Figure  4.3  provides  a  plot  of  this  data. 

Table  4.5  provides  data  on  the  frequency  of  the  sub-circuits  which  participate 
as  left-hand  sides  in  the  reduction  relations.  The  Min  and  Max  columns  shows  that 
each  sub-circuit  participates  in  a  minimum  of  12  and  a  maximum  of  20  reduction 
relations.  Table  4.5  also  provides  the  means,  standard  deviations,  and  variances  for 
the  frequency  of  sub-circuits  participating  in  the  reduction  relations. 
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1 1nput  -  1  Output  2  Inputs  - 1  Output 


Circuit  Family 


■  Replaceable  Circuits 

■  Total  Circuits 


Figure  4.3: 


Replaceable  Circuits  (1  Gate  Selection  and  2  Gate  Replacement) 


Table  4.5:  Circuit  Selection  Statistics  (left-hand  sides  of  the  reduction  relations). 


Mean 

Std.  Dev. 

Variance 

Min 

Max 

1  Input  -  1  Output 

17.3333 

1.8856 

3.5556 

16 

20 

1  Input  -  2  Outputs 

12.0000 

0.0000 

0.0000 

12 

12 

Total 

14.6667 

2.9814 

8.8889 

12 

20 
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Table  4.6:  The  number  of  2  gate  sub-circuits  which  can  replace  functionally  equiv¬ 
alent  1  gate  sub-circuits. 


Partic.  Circuits 

Total  Circuits 

Percentage 

1  Input  -  1  Output 

72 

72 

100.00% 

2  Inputs  -  1  Output 

72 

324 

22.22% 

Total 

144 

396 

36.36% 
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Circuit  Family 


Figure  4.4:  Replacement  Circuits  (1  Gate  Selection  and  2  Gate  Replacement) 

The  right-hand  side  of  these  reduction  relations  include  the  144  of  the  396  sub¬ 
circuits  shown  in  Table  4.1.  Table  4.6  provides  interesting  results  on  the  right-hand 
sides  of  the  reduction  rules.  As  shown,  only  144  of  the  396  sub-circuits  containing 
2  gates  can  be  used  for  replacements  of  functionally  equivalent  1  gate  sub-circuits. 
Figure  4.4  provides  a  plot  of  this  data. 

Table  4.7  provides  data  on  the  frequency  of  the  sub-circuits  which  participate 
in  as  left-hand  sides  in  the  reduction  relations.  The  Min  and  Max  columns  shows 
that  each  sub-circuit,  participates  in  a  minimum  of  1  and  a  maximum  of  2  reduction 
relations.  Table  4.7  also  provides  the  means,  standard  deviations,  and  variances  for 
the  frequency  of  sub-circuits  participating  in  the  reduction  relations. 
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Table  4.7:  Circuit  Replacement  Statistics  (left-hand  sides  of  the  reduction  rela¬ 

tions). 


Mean 

Std.  Dev. 

Variance 

Min 

Max 

1  Input  -  1  Output 

1.4444 

0.4969 

0.2469 

1 

2 

1  Input  -  2  Outputs 

1.0000 

0.0000 

0.0000 

1 

1 

Total 

1.2222 

0.4157 

0.1728 

1 

2 

Table  4.8:  All  possible  unique  terms  found  within  the  sub-circuit  selection  and 

replacement  algorithm. 


Term 

z  =  AND(x,  x) 

z  =  AND(x,  y) 

z  =  0R(x,  x) 

z  =  0R(x,  y) 

z  =  NAND(x,  x) 

z  =  NAND(x,  y) 

z  =  N0R(x,  x) 

z  =  N0R(x,  y) 

z  =  NX0R(x,  x) 

z  =  NX0R(x,  y) 

z  =  X0R(x,  x) 

z  =  X0R(x,  y) 

The  next  step  required  for  the  CTAS  to  determine  if  a  malware  detector  can 
perfectly  normalize  the  transformation  rules  of  a  sub-circuit  selection  and  replacement 
algorithm  which  selects  1  gate  and  replaces  it  with  2  functionally  equivalent  gates 
is  to  determine  if  there  exist  any  critical  overlaps  within  the  list  of  rewrite  rules. 
Critical  overlaps  occur  when  the  prefix  of  one  rewrite  rules  matches  the  suffix  of 
another  rewrite  rule.  In  a  sub-circuit  selection  and  replacement  algorithm  with  a  basis 
fl  =  {AND,  OR,  NAND,  NOR,  NXOR,  XOR}  there  are  12  unique,  single  gate  terms  shown  in 
Table  4.8. 

As  shown  in  Table  4.9,  each  unique  term  of  the  sub-circuit  selection  and  re¬ 
placement  algorithm  participates  in  rewrite  rules  as  both  prefixes  and  suffixes. 

The  CTAS  examines  all  possible  rewrite  rules  for  critical  overlaps  between 
prefixes  and  suffixes  and  determines  that  2,  558  critical  overlaps  exist  as  shown  in 
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Table  4.9:  The  frequency  of  terms  in  reduction  relations  of  1  to  2  gate  transforma¬ 
tions.  _ 


Term 

Prefix 

Suffix 

z  =  AND(x,  x) 

32 

16 

z  =  AND(x,  y) 

8 

17 

z  =  0R(x,  x) 

32 

16 

z  =  0R(x,  y) 

8 

17 

z  =  NAND(x,  x) 

20 

16 

z  =  NAND(x,  y) 

4 

17 

z  =  N0R(x,  x) 

20 

16 

z  =  N0R(x,  y) 

4 

17 

z  =  NX0R(x,  x) 

16 

6 

z  =  NX0R(x,  y) 

8 

16 

z  =  X0R(x,  x) 

16 

6 

z  =  X0R(x,  y) 

8 

16 

Subtotals 

176 

176 

Table  4.10:  The  frequency  of  terms  in  reduction  relations  of  1  to  2  gate  transfor¬ 
mations, _ 


Critical  Overlaps 

1  Gate  Selection  with  2  Gate  Replacement 

2,558 

Table  4.10.  Table  4.11  provides  an  example  of  one  of  the  critical  overlaps  between 
rewrite  rules  M2  and  M21  at  the  term:  z  =  NAND  (x,  y). 

As  critical  overlaps  exist  within  this  rule  set  it  is  by  definition  non-convergent 
and  a  perfect  normalizer  for  a  sub-circuit  selection  and  replacement  algorithm  based 
on  this  rule  set  does  not  yet  exist.  However,  if  a  completion  algorithm  such  as  the 
Knuth-Bendix  completion  procedure,  the  most  widely  used  completion  procedure  in 
term  rewriting  literature,  can  complete  the  rule  set  then  the  rule  set  is  convergent 
and  an  attacker  can  create  a  perfect  normalizer  for  this  sub-circuit  selection  and 
replacement  algorithm. 

In  order  to  complete  the  rule  set,  the  KB  completion  procedure  iterates  through 
each  critical  overlap  and  adds  a  new  rule,  using  existing  terms,  to  resolve  the  overlap. 
If  the  algorithm  terminates  without  an  error  it  completes  the  rule  set  and  the  rule  set 
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Table  4.11:  An  example  of  a  critical  overlap  within  the  reduction  relations.  The 

overlap  exists  between  the  suffix  of  M2  and  the  prefix  of  M2\ . 


Rule 

Label 

Condition 

k  — >  n 

Reorient? 

m2 

0  =  AND(-1,  -1)  ->  0  =  NORC-l,  -1) 

1  =  NANDCO,  0) 

y 

M2i 

0  =  N0R(-1,  -1)  ->  0  =  NANDC-l,  -1) 

1  =  AND(0,  0) 

y 

is  convergent.  However,  completion  algorithms  are  not  gauranteed  to  terminate  and 
may  fall  into  a  cycle  of  adding  rules. 

When  the  KB  completion  algorithm  adds  rules  to  the  rule  set  containing  the 
prefixes  and  suffixes  displayed  in  Table  4.9,  it  immediately  falls  into  a  cycle.  This  is 
due  to  the  fact  that  in  order  to  resolve  critical  overlaps,  the  KB  completion  procedure 
adds  rules  using  only  prexisting  terms.  If  every  unique  term  of  the  TRS  is  used  as  a 
prefix  and  suffix  at  least  twice,  then  for  every  rule  the  KB  completion  procedure  adds, 
it  will  resolve  one  critical  overlap  while  always  creating  at  least  two  more.  The  new 
prefix  will  conflict  with  another  suffix  and  the  new  suffix  will  conflict  with  another 
prefix. 

As  every  unique  term  in  this  TRS  initially  participates  in  at  least  two  overlaps 
as  both  a  prefix  and  a  suffix  (e.g.,  every  term  z  =  NAND(x,  y )  as  a  suffix  participates 
in  a  critical  overlap  with  each  of  the  four  equivalent  prefixes  as  shown  in  Table  4.9), 
the  KB  procedure  fails  to  terminate  and  the  resulting  rule  set  is  non-convergent. 

However,  it  is  not  possible  to  prove  that  a  malware  detector  cannot  perfectly 
normalize  circuits  obfuscated  by  this  algorithm  because  even  if  one  completion  pro¬ 
cedure,  such  as  the  Knuth-Bendix  completion  procedure,  fails  to  terminate  it  may  be 
the  case  that  another  completion  procedure  exists  which  can  terminate  the  rule  set. 
In  the  case  of  the  rewrite  rules  based  upon  the  transformation  rules  of  the  sub-circuit 
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selection  and  replacement  algorithm  selecting  sub-circnits  containing  one  gate  and  re¬ 
placing  them  with  sub-circuits  containing  two  gates,  Knuth  Bendix  enters  into  a  cycle 
because  every  term  in  the  TRS  is  used  more  than  once  as  both  a  prefix  and  a  suffix. 
Therefore  every  rule  which  was  added  to  the  rule  set  conflicted  with  another  rule, 
producing  a  cycle.  However,  it  may  be  possible  to  construct  a  completion  procedure 
which  introduces  completely  new  terms  into  the  TRS  which  do  not  conflict  with  the 
current  rule  set.  If  it  is  possible  to  create  such  a  completion  procedure,  then  it  would 
be  possible  to  normalize  the  rule  set. 

4-3.2  2  Gate  Selection  with  3  Gate  Replacement.  This  section  displays  the 
outputs  generated  by  the  CTAS  when  the  number  of  selected  gates  Nsg  =  2  and  the 
number  of  returned  gates  NRG  =  3. 

In  this  second  experiment  the  CTAS  again  enumerates  two  lists.  The  first  list 
Ls  is  the  list  of  all  possible  2  gate  sub-circuits  which  can  be  selected  within  any 
circuit.  The  second  list  LR  is  the  list  of  all  possible  3  gate  sub-circuits  which  can  be 
used  for  replacements.  As  shown  in  Table  4.12,  the  CTAS  enumerates  the  list  L$  of 
all  possible  sub-circuits,  which  can  be  selected  within  any  circuit,  containing  only  2 
gates  and  generates  a  total  of  1,656  unique  sub-circuits.  Also  shown  in  Table  4.12, 
the  CTAS  enumerates  the  list  LR  of  all  possible  sub-circuits  containing  3  gates  and 
generates  634,  824  possible  replacement  sub-circuits.  Figure  4.5  provides  a  plot  of  this 
data  in  in  a  linear  scale  while  Figure  4.6  provides  a  plot  of  this  data  in  a  logarithmic 
scale. 

One  interesting  result  is  that  the  CTAS  determines  that  there  are  0  sub-circuits 
which  can  be  selected  in  the  54_;l_2  circuit  family.  This  is  intuitive  as  any  circuit 
which  is  generated  using  all  4  inputs  and  having  only  2  gates  will  have  2  mandatory 
outputs.  Mandatory  outputs  are  outputs  of  gates  which  are  not  connected  to  any 
other  inputs.  As  it  is  not  possible  to  generate  any  circuit  containing  4  inputs,  2  gates, 
and  only  1  (mandatory)  output,  there  are  0  circuits  which  can  be  selected  within  the 
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Table  4.12:  The  count  of  all  sub-circuits  which  are  able  to  be  used  by  a  sub¬ 

circuit  selection  and  replacement  algorithm  selecting  sub-circuits  containing  2  gates 
and  replacing  them  with  sub-circuits  containing  3  gates. 


2  Gates 

3  Gates 

1  Input  -  1  Output 

72 

1,512 

1  Input  -  2  Outputs 

108 

3,240 

2  Inputs  -  1  Output 

180 

9,720 

2  Inputs  -  2  Outputs 

432 

27,216 

3  Inputs  -  1  Output 

108 

33,696 

3  Inputs  -  2  Outputs 

540 

116,640 

4  Inputs  -  1  Output 

0 

86,400 

4  Inputs  -  2  Outputs 

216 

356,400 

Subtotals 

1,656 

634, 824 

—♦—1  Input  -  1  Output 
-•—1  Input  -  2  Outputs 
—A— 2  Inputs  - 1  Output 
— 2  Inputs  -  2  Outputs 
~  *~3  Inputs  - 1  Output 
-♦-3  Inputs  -  2  Outputs 
4  Inputs  - 1  Output 
■  4  Inputs  -  2  Outputs 


Figure  4.5:  Number  of  Circuits  (2  Gate  Selection  and  3  Gate  Replacement) 
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~ 1 1nput  -  1  Output 
-*-1  Input  -  2  Outputs 
-A— 2  Inputs  - 1  Output 
— 2  Inputs  -  2  Outputs 
)K  3  Inputs  - 1  Output 
-•—3  Inputs  -  2  Outputs 
4  Inputs  - 1  Output 
—4  Inputs  -  2  Outputs 


Figure  4.6:  Number  of  Circuits  (2  Gate  Selection  and  3  Gate  Replacement)  (Log¬ 
arithmic  Scale) 


£4-4-2  family.  Therefore,  analysis  throughout  this  chapter  will  relect  that  the  £4-1-2 
circuit  family  does  not  participate  in  any  rewrite  rules. 

To  accomplish  the  next  step  of  the  primary  research  goal,  the  research  group  de¬ 
termines  all  possible  transformation  rules  for  a  sub-circuit  selection  and  replacement 
algorithm  selecting  a  sub-circuit  containing  2  gates  and  replacing  it  with  a  sub-circuit 
containing  3  gates.  As  shown  in  Table  4.13,  the  CTAS  enumerates  all  possible  trans¬ 
formation  rules  from  sub-circuits  containing  2  gates  to  sub-circuits  containing  3  gates 
and  generates  a  total  of  374, 532  rules  with  a  majority  coming  from  the  circuits  con¬ 
taining  2  inputs.  Figure  4.7  provides  a  plot  of  this  data. 

All  374,  532  rules  generated  by  the  CTAS  can  be  represented  as  rewrite  rules 
in  term  rewriting  theory.  Table  4.14  provides  a  subset  of  the  transformation  rules 
displayed  as  rewrite  rules. 

The  left-hand  side  of  these  reduction  relations  include  all  possible  1,656  2  gate 
sub-circuits  as  shown  in  autoreftab:numCircuitslto2.  Table  4.15  provides  interesting 
results  on  these  left-hand  sides.  As  shown,  all  1,  656  sub-circuits  participate  in  reduc- 
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Tabic  4.13:  The  count  of  all  transformation  rules  possible  in  a  sub-circuit  selection 
and  replacement  algorithm  selecting  sub-circuits  containing  2  gates  and  replacing 
them  with  sub-circuits  containing  3  gates. 


1  Gate  to  2  Gates 

1  Input  -  1  Output 

27,  744 

1  Input  -  2  Outputs 

37, 188 

2  Inputs  -  1  Output 

112,656 

2  Inputs  -  2  Outputs 

119,892 

3  Inputs  -  1  Output 

8,016 

3  Inputs  -  2  Outputs 

58,668 

4  Inputs  -  1  Output 

0 

4  Inputs  -  2  Outputs 

10,368 

Total 

374,  532 

Circuit  Family 


—♦—Rules 


Figure  4.7:  Number  of  Transformation  Rules  (2  Gate  Selection  and  3  Gate  Re¬ 
placement) 
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Table  4.14:  A  subset  of  the  reduction  relations  used  by  a  sub-circuit  selection  and 
replacement  algorithm  selecting  sub-circuits  containing  2  gates  and  replacing  them 
with  sub-circuits  containing  3  gates. 


Rule 

Label 

Condition 

k  — >•  n 

Reorient? 

A/233,157 

0  =  XORC-2,  -1)  -»■  0  =  NXDRC-l,  -1) 

1  =  NORC-2,  -2)  1  =  X0R(0 ,  -2) 

2  =  X0R(1 ,  -1) 

y 

A/233,158 

0  =  X0R(-2,  -1)  -»■  0  =  AND (-2 ,  -1) 

1  =  NORC-2,  -2)  1  =  XORC-2,  -1) 

2  =  NORCO,  -2) 

y 

A/233,159 

0  =  XORC-2,  -1)  ->  0  =  0RC-1,  -1) 

1  =  NORC-2,  -2)  1  =  XORC-2,  -1) 

2  =  NX0RC1,  0) 

y 

A/233,160 

0  =  XORC-2,  -1)  ->  0  =  0RC-1,  -1) 

1  =  NORC-2,  -2)  1  =  NORC-2,  -2) 

2  =  X0RC0,  -2) 

y 

tion  relations.  That  is  to  say  that  all  1,  656  sub-circuits  containing  only  2  gates  can 
be  replaced  by  functionally  equivalent  3  gate  sub-circuits.  Figure  4.8  provides  a  plot 
of  this  data. 

Table  4.16  provides  data  on  the  frequency  of  the  sub-circuits  which  participate 
in  as  left-hand  sides  in  the  reduction  relations.  The  Min  and  Max  columns  shows  that 
each  sub-circuit  participates  in  a  minimum  of  20  and  a  maximum  of  1,756  reduction 
relations  (excluding  the  sub-circuits  from  the  5^-1  circuit  family).  Table  4.16  also 
provides  the  means,  standard  deviations,  and  variances  for  the  frequency  of  sub¬ 
circuits  participating  in  the  reduction  relations. 

Table  4.17  provides  interesting  results  on  these  right-hand  sides.  As  shown,  only 
73,  696  sub-circuits  participate  in  reduction  relations.  That  is  to  say  that  only  73,  696 
of  the  634,  824  sub-circuits  containing  3  gates  can  replace  the  functionally  equivalent 
2  gate  sub-circuits.  Figure  4.9  provides  a  plot  of  this  data. 
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Table  4.15:  The  number  of  2  gate  sub-circuits  which  can  be  replaced  by  functionally 
equivalent  3  gate  sub-circuits. 


Partic.  Circuits 

Total  Circuits 

Percentage 

1  Input  -  1  Output 

72 

72 

100.0000% 

1  Input  -  2  Outputs 

108 

108 

100.0000% 

2  Inputs  -  1  Output 

h- 1 

00 

o 

180 

100.0000% 

2  Inputs  -  2  Outputs 

432 

432 

100.0000% 

3  Inputs  -  1  Output 

108 

108 

100.0000% 

3  Inputs  -  2  Outputs 

540 

540 

100.0000% 

4  Inputs  -  1  Output 

0 

0 

100.0000% 

4  Inputs  -  2  Outputs 

216 

216 

100.0000% 

Total 

1,656 

1,656 

100.0000% 

■  Replaceable  Circuits 

■  Total  Circuits 


Circuit  Family 


Figure  4.8:  Circuits  which  can  be  Selected  (2  Gate  Selection  and  3  Gate  Replace¬ 
ment) 
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Tabic  4.16:  Circuit  Selection  Statistic  (left-hand  sides  of  the  reduction  relations). 


Mean 

Std.  Dev. 

Variance 

Min 

Max 

1  Input  -  1  Output 

385.3333 

65.5913 

4,302.2222 

312 

444 

1  Input  -  2  Outputs 

344.3333 

87.8583 

7,719.0741 

176 

476 

2  Inputs  -  1  Output 

625.8667 

503.3623 

253,373.5822 

256 

1,756 

2  Inputs  -  2  Outputs 

277.5278 

279.9564 

78,375.6103 

61 

1,668 

3  Inputs  -  1  Output 

74.2222 

42.6296 

1,817.2840 

44 

156 

3  Inputs  -  2  Outputs 

108.6444 

114.1173 

13,022.7625 

20 

410 

4  Inputs  -  1  Output 

0.0000 

0.0000 

0.0000 

0 

0 

4  Inputs  -  2  Outputs 

48.0000 

0.0000 

0.0000 

48 

48 

Total 

226.1667 

288.5435 

83,257.3466 

20 

1,756 

Table  4.17:  The  number  of  2  gate  sub-circuits  which  can  be  replaced  by  functionally 
equivalent  3  gate  sub-circuits. 


Partic.  Circuits 

Total  Circuits 

Percentage 

1  Input  -  1  Output 

1,512 

1,512 

100.00% 

1  Input  -  2  Outputs 

3240 

3,240 

100.00% 

2  Inputs  -  1  Output 

9,720 

9,720 

100.00% 

2  Inputs  -  2  Outputs 

22,468 

27,216 

82.55% 

3  Inputs  -  1  Output 

4,752 

33,696 

14.10% 

3  Inputs  -  2  Outputs 

26,820 

116,640 

22.99% 

4  Inputs  -  1  Output 

0 

86,400 

0.00% 

4  Inputs  -  2  Outputs 

5,184 

356,400 

1.45% 

Total 

73,696 

634,824 

11.61% 

45 


■  Replacement  Circuits 

■  Generated  Circuits 


Circuit  Family 

Figure  4.9:  Replacement  Circuits  (2  Gate  Selection  and  3  Gate  Replacement) 

Table  4.16  provides  data  on  the  frequency  of  the  sub-circuits  which  participate 
in  as  left-hand  sides  in  the  reduction  relations.  The  Min  and  Max  columns  shows  that 
each  sub-circuit  participates  in  a  minimum  of  20  and  a  maximum  of  1,756  reduction 
relations.  Table  4.18  also  provides  the  means,  standard  deviations,  and  variances  for 
the  frequency  of  sub-circuits  participating  in  the  reduction  relations. 

The  next  step  required  for  the  CTAS  to  determine  if  a  malware  detector  can 
perfectly  normalize  the  transformation  rules  of  a  sub-circuit  selection  and  replacement 
algorithm  which  selects  1  gate  and  replaces  it  with  2  functionally  equivalent  gates  is 
to  determine  if  there  exist  any  critical  overlaps  within  the  list  of  rewrite  rules.  As 
shown  in  Table  4.19,  each  unique  term  of  the  sub-circuit  selection  and  replacement 
algorithm  participates  in  rewrite  rules  as  both  prefixes  and  suffixes. 

The  CTAS  examines  all  possible  rewrite  rules  for  critical  overlaps  between  pre¬ 
fixes  and  suffixes  and  determines  that  10,  007,  353, 112  critical  overlaps  exist  as  shown 
in  Table  4.20. 

Table  4.21  provides  an  example  of  one  of  the  critical  overlaps  between  rewrite 
rules  M2 7,788  and  iRf233,i60  at  the  term:  z  =  OR(x,x). 
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Table  4.18:  Circuit  Replacement  Statistic  (right-hand  sides  of  the  reduction  rela¬ 
tions). 


Mean 

Std.  Dev. 

Variance 

Min 

Max 

1  Input  -  1  Output 

18.3492 

1.9693 

3.8781 

16 

20 

1  Input  -  2  Outputs 

11.4778 

4.2406 

17.9828 

5 

20 

2  Inputs  -  1  Output 

11.5901 

2.4098 

5.8073 

8 

14 

2  Inputs  -  2  Outputs 

5.3361 

1.9900 

3.9600 

1 

8 

3  Inputs  -  1  Output 

1.6869 

1.2999 

1.6898 

1 

6 

3  Inputs  -  2  Outputs 

2.1875 

0.8243 

0.6794 

1 

4 

4  Inputs  -  1  Output 

0.0000 

0.0000 

0.0000 

0 

0 

4  Inputs  -  2  Outputs 

2.0000 

0.0000 

0.0000 

2 

2 

Total 

5.0821 

4.3216 

18.6760 

1 

20 

Table  4.19:  The  frequency  of  terms  in  reduction  relations  of  2  to  3  gate  transfor¬ 
mations.  _ 


Term 

Prefix 

Suffix 

z  =  AND(x,  x) 

48,266 

17,888 

z  =  AND(x,  y) 

19,528 

42,382 

z  =  0R(x,  x) 

48,266 

17,888 

z  =  0R(x,  y) 

19,528 

42,382 

z  =  NAND(x,  x) 

40,518 

18,960 

z  =  NAND(x,  y) 

16,262 

44, 024 

z  =  N0R(x,  x) 

40,518 

18,960 

z  =  N0R(x,  y) 

16,262 

44, 024 

z  =  NX0R(x,  x) 

43,418 

20,298 

z  =  NX0R(x,  y) 

19,274 

43, 714 

z  =  X0R(x,  x) 

43,418 

20,298 

z  =  X0R(x,  y) 

19,274 

43, 714 

Subtotals 

374,532 

374,532 

Table  4.20:  The  frequency  of  terms  in  reduction  relations  of  2  to  3  gate  transfor¬ 
mations, _ 


Critical  Overlaps 

2  Gate  Selection  with  3  Gate  Replacement 

10,007,353,112 
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Table  4.21:  An  example  of  a  critical  overlap  within  the  reduction  relations.  The 

overlap  exists  between  the  suffix  of  M2 7,788  and  the  prefix  of  M233}ieo. 


Rule 

Label 

Condition 

k  *  V  i 

Reorient? 

A/27,788 

0  =  N0R(-1,  -1)  ->  0  =  ANDC-l,  -1) 

1  =  AND(-1,  -1)  1  =  NORCO,  -1) 

2  =  0R(-1,  -1) 

y 

A/233,160 

0  =  XORC-2,  -1)  ->  0  =  0R(-1,  -1) 

1  =  NORC-2,  -2)  1  =  NORC-2,  -2) 

2  =  XORCO,  -2) 

y 

Table  4.22:  An  example  transformation  of  C\  to  Ct  by  applying  the  reduction 

relation  M27j78S. 


Original  Circuit  C\ 

Rule 

Transformed  Circuit  Ct 

2  =  NORCO,  0) 

3  =  AND  CO ,  0) 

4  =  N0RC1,  1) 

5  =  X0RC2,  1) 

A/27,788  _H ” 

2  =  AND  CO ,  0) 

3  =  N0RC1,  1) 

4  =  0R(0,  0) 

5  =  N0RC1,  1) 

6  =  X0RC2,  1) 

Table  4.22  provides  an  example  of  a  circuit  C\  which  cannot  be  perfectly  nor¬ 
malized  because  of  the  critical  overlap  between  the  reduction  relations  M27788  and 
A/233, i60-  The  circuit  is  transformed  to  the  circuit  Ct  by  the  rule  M27)788. 

Table  4.23  provides  one  normalization  of  the  circuit  based  on  the  reversal  of  rule 
M2 7]788,  known  as  N27j88.  This  reversal  results  in  the  original  circuit  C\. 

Table  4.24  provides  a  second  (incorrect)  normalization  of  the  circuit  based  on 
the  reversed  rule  which  results  in  circuit  C2. 

If  there  existed  no  other  rules  which  could  reduce  C\  and  C2 ,  then  this  critical 
overlap  would  prevent  a  malware  detector  from  perfectly  reducing  Ct  to  one  normal 
form. 
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Table  4.23:  An  example  of  the  correct  normalization  of  Ct  into  C\ . 


Transformed  Circuit  Ct 

Rule 

Normalized  Circuit  C2 

2  =  AND(0,  0) 

3  =  N0RC1,  1) 

4  =  0R(0,  0) 

5  =  N0R(1,  1) 

6  =  X0R(2 ,  1) 

A^27,788  — ► 

2  =  NORCO,  0) 

3  =  AND(0,  0) 

4  =  N0R(1,  1) 

5  =  X0R(2,  1) 

Table  4.24:  An  example  of  an  incorrect  normalization  of  Ct  into  C2. 


Transformed  Circuit  Ct 

Rule 

Normalized  Circuit  C2 

2  =  AND(0,  0) 

3  =  N0R(1,  1) 

4  =  0R(0 ,  0) 

5  =  N0R(1,  1) 

6  =  X0R(2,  1) 

A^233,160  ^ 

2  =  AND(0,  0) 

3  =  N0R(2,  0) 

4  =  X0RC1,  0) 

5  =  N0R(1,  1) 

Once  again,  as  critical  overlaps  exist  within  this  rule  set  it  is  by  definition 
non-convergent  and  a  perfect  normalizer  for  a  sub-circuit  selection  and  replacement 
algorithm  based  on  this  rule  set  does  not  yet  exist.  However,  if  a  completion  algorithm 
such  as  the  Knuth-Bendix  completion  procedure  can  complete  the  rule  set  then  the 
rule  set  is  convergent  and  an  attacker  can  create  a  perfect  normalizer  for  this  sub¬ 
circuit  selection  and  replacement  algorithm. 

In  order  to  complete  the  rule  set,  the  KB  completion  procedure  iterates  through 
each  critical  overlap  and  adds  a  new  rule,  using  existing  terms,  to  resolve  the  overlap. 
If  the  algorithm  terminates  without  an  error  it  completes  the  rule  set  and  the  rule  set 
is  convergent.  However,  completion  algorithms  are  not  gauranteed  to  terminate  and 
may  fall  into  a  cycle  of  adding  rules. 

When  the  KB  completion  algorithm  adds  rules  to  the  rule  set  containing  the 
prefixes  and  suffixes  displayed  in  Table  4.19,  it  immediately  falls  into  a  cycle.  This  is 
due  to  the  fact  that  in  order  to  resolve  critical  overlaps,  the  KB  completion  procedure 
adds  rules  using  only  prexisting  terms.  If  every  unique  term  of  the  TRS  is  used  as  a 
prefix  and  suffix  at  least  twice,  then  for  every  rule  the  KB  completion  procedure  adds, 
it  will  resolve  one  critical  overlap  while  always  creating  at  least  two  more.  The  new 
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prefix  will  conflict  with  another  suffix  and  the  new  suffix  will  conflict  with  another 
prefix. 

As  every  unique  term  in  this  TRS  initially  participates  in  at  least  two  overlaps 
as  both  a  prefix  and  a  suffix  (e.g.,  every  term  z  =  NAND(x,  y)  as  a  suffix  participates 
in  a  critical  overlap  with  each  of  the  four  equivalent  prefixes  as  shown  in  Table  4.19), 
the  KB  procedure  fails  to  terminate  and  the  resulting  rule  set  is  non-convergent. 

However,  once  again,  this  research  does  not  prove  that  a  malware  detector 
cannot  perfectly  normalize  circuits  obfuscated  by  this  algorithm.  Even  though  one 
completion  procedure,  the  Knuth-Bendix  completion  procedure,  fails  to  terminate  it 
may  be  the  case  that  another  completion  procedure  exists  which  can  terminate  the 
rule  set.  In  the  case  of  the  rewrite  rules  based  upon  the  transformation  rules  of 
the  sub-circuit  selection  and  replacement  algorithm  selecting  sub-circuits  containing 
one  gate  and  replacing  them  with  sub-circuits  containing  two  gates,  Knuth-Bendix 
enters  into  a  cycle  because  every  term  in  the  TRS  is  used  more  than  once  as  both  a 
prefix  and  a  suffix.  Therefore  every  rule  which  was  added  to  the  rule  set  conflicted 
with  another  rule,  producing  a  cycle.  However,  it  may  be  possible  to  construct  a 
completion  procedure  which  introduces  completely  new  terms  into  the  TRS  which  do 
not  conflict  with  the  current  rule  set.  If  it  is  possible  to  create  such  a  completion 
procedure,  then  it  would  be  possible  to  normalize  the  rule  set. 

4-4  Summary 

The  primary  goal  of  this  research  effort  is  to  determine  if  a  malware  detector 
based  upon  the  mechanisms  of  term  rewriting  theory  can  perfectly  normalize  circuits 
transformed  by  a  sub-circuit  selection  and  replacement  algorithm  if  the  transformation 
algorithm  is  previously  known.  The  results  of  this  chapter  have  accomplished  this 
goal  by  determining  that  it  is  not  possible  to  prove  that  a  malware  detector  cannot 
perfectly  normalize  the  circuits  transformed  by  a  sub-circuit  selection  and  replacement 
algorithm.  While  the  Knuth-Bendix  completion  procedure  is  not  able  to  complete  the 
rule  sets  generated  by  the  sub-circuit  selection  and  replacement  algorithm,  there  may 
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exist  another  completion  procedures  which  would  terminate  and  complete  the  rule 
sets. 

The  secondary  goal  of  this  research  effort  is  to  determine  the  properties  of  a  sub¬ 
circuit  selection  and  replacement  algorithm  which  prevent  the  rule  set  from  converging 
and  determine  their  effectiveness  in  software  obfuscation.  While  the  transforming 
rules  of  the  sub-circuit  selection  and  replacement  algorithm  contain  critical  overlaps, 
this  does  not  guarantee  that  a  completion  procedure  cannot  complete  the  rule  set. 
However,  the  strength  of  the  rule  set  is  that  all  possible  terms  are  both  prefixes  and 
suffixes  of  rules  which  causes  the  KB  procedure  to  cycle  preventing  the  convergence. 
In  order  to  prevent  a  malware  detector  from  normalizing  an  obfuscated  program,  a 
software  obfuscator  based  on  command  substitution  must  contain  a  rule  set  which 
cannot  be  completed  by  a  completion  procedure. 

While  it  is  not  possible  to  prove  that  no  completion  procedures  exist  which 
can  complete  these  rule  sets,  it  may  be  possible  to  increase  the  cost  of  performing 
this  analysis  to  an  acceptable  amount.  For  instance,  before  the  completion  procedure 
begins,  an  attacker  must  be  able  to  first  enumerate  the  entire  rule  set.  If  the  cost  of 
enumerating  the  rule  set  is  too  high  (whether  it  would  take  a  certain  amount  of  time  or 
space),  this  may  be  an  effective  way  to  prevent  the  attacker  from  normalizing  the  rule 
set  for  a  certain  amount  of  time.  One  possible  way  to  accomplish  this  goal  is  to  choose 
replacement  sub-circuits  from  a  random  subset  of  a  large  circuit  family  Si-0-g.  If  the 
obfuscator  is  able  to  select  replacements  uniformly  from  the  set  of  all  replacements 
in  a  circuit  family,  without  having  to  enumerate  the  entire  family,  it  may  be  possible 
to  utilize  replacement  families  which  will  take  the  attacker  an  acceptable  amount  of 
time  or  space  to  fully  enumerate.  The  key  is  that  in  order  for  an  attacker  to  model 
the  obfuscator  as  a  TRS  and  attempt  to  complete  the  rule  set,  the  attacker  must 
fully  enumerate  all  circuit  families  used  in  a  sub-circuit  selection  and  replacement 
algorithm  in  order  to  create  the  rule  set. 
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V.  Conclusions  and  Recommendations 


5. 1  Chapter  Overview 

The  primary  purpose  of  this  chapter  is  to  provide  conclusions  based  on  the  results 
given  in  Chapter  IV.  This  chapter  will  also  highlight  the  significance  of  this 
research  effort  and  provide  recommendations  for  future  research  in  the  realms  of 
software  obfuscation  and  malware  detection. 

5.2  Significance  of  Research 

There  are  two  significant  results  of  this  research  effort.  This  research  establishes 
that  while  it  is  not  possible  to  prove  that  a  malware  detector  based  upon  the  mech¬ 
anisms  of  term  rewriting  thoery  cannot  perfectly  normalize  a  circuit  obfuscated  by  a 
sub-circuit  selection  and  replacement  algorithm,  it  may  be  possible  to  create  a  rule 
set  which  drives  the  runtime  or  storage  cost  of  a  malware  detector  to  a  high  cost, 
preventing  the  attacker  from  obtaining  a  solution  for  an  acceptable  amount  of  time. 

While  Chess  and  White  [3]  suspect  that  perfect  detection  of  all  metamorphic 
malware  is  impossible,  Walenstein  et  al.  [14]  claim  that  restricted  versions  of  the 
normalization  problem  are  solvable.  Specifically,  they  claim  that  perfect  normalization 
may  be  possible  when  an  accurate  model  of  the  metamorphic  engine  of  a  malware  is 
known.  As  a  sub-circuit  selection  and  replacement  algorithm  can  be  modeled  as 
a  metamorphic  engine,  then  it  is  an  interesting  result  to  determine  if  a  malware 
detector  can  perfectly  normalize  circuits  obfuscated  by  this  algorithm.  If  a  malware 
detector  can  perfectly  normalize  a  circuit,  then  the  malware  detector  can  reduce  the 
original  circuit  as  well  as  all  all  possible  obfuscations  of  the  circuit,  based  upon  the 
transformation  rules  of  the  sub-circuit  selection  and  replacement  algorithm,  to  the 
same  normal  form. 

This  research  effort  has  determined  that  there  exist  critical  overlaps  within 
the  transformation  rules  of  a  sub-circuit  selection  and  replacement  algorithm  which 
prevent  a  malware  detector  based  on  the  mechanisms  of  term  rewriting  theory  from 
perfectly  normalizing  obfuscated  circuits.  This  is  a  significant  result  because  even  if  a 
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malware  detector  has  an  accurate  model  of  the  sub-circuit  selection  and  replacement 
algorithm,  this  research  effort  shows  perfect  normalization  of  circuits  obfuscated  by 
this  algorithm  is  not  possible  using  an  existing  completion  procedure. 

However,  it  is  not  possible  to  prove  that  a  malware  detector  cannot  perfectly 
normalize  circuits  obfuscated  by  this  algorithm  because  even  if  one  completion  proce¬ 
dure,  such  as  the  Knuth-Bendix  completion  procedure,  fails  to  terminate,  it  may  be 
the  case  that  another  completion  procedure  exists  which  can  terminate  the  rule  set. 
In  the  case  of  the  rewrite  rules  based  upon  the  transformation  rules  of  the  sub-circuit 
selection  and  replacement  algorithm,  Knuth  Bendix  enters  into  a  cycle  because  every 
term  in  the  TRS  is  used  more  than  once  as  both  a  prefix  and  a  suffix.  Therefore  every 
rule  which  was  added  to  the  rule  set  conflicted  with  another  rule,  producing  a  cycle. 
However,  it  may  be  possible  to  construct  a  completion  procedure  which  introduces 
completely  new  terms  into  the  TRS  which  do  not  conflict  with  rules.  If  it  is  possible 
to  create  such  a  completion  procedure,  then  it  would  be  possible  to  normalize  the  rule 
set. 

This  research  provides  significant  results  for  the  field  of  software  obfuscation. 
Firstly,  in  order  for  a  software  obfuscator  based  upon  command  substitution  to  pre¬ 
vent  perfect  normalization  of  obfuscated  programs,  it  must  contain  transformation 
rules  which  prevent  known  completion  procedures,  such  as  the  most  widely  used 
Knuth-Bendix,  from  converging  the  rule  set.  This  can  be  accomplished  by  inserting 
transformation  rules  which  cause  completion  procedures  such  as  Knuth-Bendix  to  cy¬ 
cle,  thereby  forcing  the  malware  detector  to  use  an  approximation  to  the  normalization 
problem  such  as  using  an  incomplete  rule  set. 

Secondly,  while  it  is  not  possible  to  prove  that  no  completion  procedures  exist 
which  can  complete  a  rule  set,  it  may  be  possible  to  create  a  rule  set  which  would  be 
too  costly  for  an  attacker  to  analyze  with  a  TRS.  Before  a  completion  procedure  is 
run  on  a  rule  set,  the  malware  detector  must  be  able  to  enumerate  all  possible  trans¬ 
formation  rules  that  a  metamorphic  engine  can  use.  One  strength  of  a  sub-circuit 
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selection  and  replacement  algorithm  is  that  it  is  able  to  generate  rules,  rather  than 
simply  using  stored  rules.  If  a  sub-circuit  selection  and  replacement  algorithm  can 
dynamically  create  replacement  circuits,  without  enumerating  the  entire  i-o-g  family, 
but  rather  only  a  random  subset  of  the  family,  the  sub-circuit  selection  and  replace¬ 
ment  algorithm  may  be  able  to  use  replacement  circuits  which  exist  in  familys  that 
are  far  too  costly  to  generate  exhaustively.  In  order  for  a  malware  detector  based 
upon  term  rewriting  theory  to  perfectly  normalize  original  and  obfuscated  circuits, 
it  must  be  able  to  generate  all  possible  rules  before  executing  a  completion  proce¬ 
dure.  Therefore,  a  sub-circuit  selection  and  replacement  algorithm  which  is  able  to 
dynamically  create  transformation  rules  may  be  able  to  greatly  increase  the  cost  of  a 
malware  detector’s  analysis  to  prevent  the  attacker  from  completing  the  rule  set  (if  it 
is  even  possible)  for  an  acceptable  amount  of  time. 

5.3  Recommendations  for  Future  Research 

The  primary  recommendation  for  future  research  would  be  to  create  selection 
and  replacement  algorithms  which  can  select  replacement  circuits  from  <5j_G_9  families 
with  a  uniform  distribution  without  enumerating  all  possible  sub-circuits  within  that 
family.  If  this  is  possible,  then  it  may  be  possible  to  prevent  any  TRS  from  reducing 
the  rule  set  for  a  certain  amount  of  time  and  cost  to  the  attacker. 

Future  analysis  of  the  sub-circuit  selection  and  replacement  algorithm  modeled 
as  a  TRS  is  also  possible.  While  this  research  effort  inspected  the  rewrite  rules 
and  critical  overlaps  of  1  to  2  gate  and  2  to  3  gate  transformations,  inspecting  the 
capabilities  of  other  transformation  combinations  such  as  3  to  4  gates  may  also  provide 
interesting  results. 

Another  interesting  research  area  would  be  examining  the  effects  of  a  sub-circuit 
selection  and  replacement  algorithm  which  contained  transformation  rules  that  re¬ 
duced  the  size  of  the  circuit.  Transformation  rules  which  contain  selected  sub-circuits 
that  are  length-lexicographically  larger  than  their  replacement  sub-circuits  cannot  be 
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reoriented  in  a  malware  detector.  This  property  of  a  instruction-substitution  algo¬ 
rithm  might  also  prevent  perfect  normalization. 

Finally,  future  researchers  may  discover  more  efficient  methods  of  generating 
functionally  equivalent  replacement  sub-circuits.  During  this  effort,  the  research  group 
examined  the  size  of  the  circuit  families,  searching  for  previously  published  integer 
sequences.  The  research  group  found  that  the  integer  series  containing  the  cardi¬ 
nalities  of  the  circuit  families  containing  one  input  and  one  output  with  a  one  gate 
basis,  as  enumerated  in  Appendix  A,  are  isomorphic  to  the  integer  series  A000366 
enumerated  in  the  ATT  Research  Online  Encyclopedia  of  Integer  Series  [13].  This 
integer  series  is  known  as  the  Genocchi  medians  divided  by  2n~1.  Furthermore,  D. 
E.  Knuth  described  the  Genocchi  medians  as  “the  number  of  Boolean  functions  of  n 
variables  whose  ROBDD  (reduced  ordered  binary  decision  diagram)  contains  exactly 
n  branch  nodes,  one  for  each  variable”  [13].  Considering  that  this  research  effort  has 
uncovered  a  relationship  between  the  cardinalities  of  the  generated  circuit  families 
and  ROBDDs,  future  research  may  provide  more  efficient  algorithms  for  generating 
replacement  sub-circuits  based  on  operations  to  ROBDDs. 

5.4  Conclusions  of  Research 

The  primary  goal  of  this  research  effort  is  to  determine  if  a  malware  detector 
based  upon  the  mechanisms  of  term  rewriting  theory  can  perfectly  normalize  circuits 
transformed  by  a  sub-circuit,  selection  and  replacement  algorithm,  even  when  the 
transformation  rule  set  (metamorphic  engine)  is  previously  known.  This  goal  is  met 
when  the  transformation  rules  of  a  sub-circuit  selection  and  replacement  algorithm  are 
modeled  as  rewrite  rules  in  term  rewriting  theory  and  it  is  determined  if  there  exist 
critical  overlaps  within  these  rewrite  rules  that  cannot  be  resolved  thereby  preventing 
a  program  normalizer  from  converging  this  rule  set. 

The  secondary  goal  of  this  research  effort  is  to  determine  the  properties  of  a  sub¬ 
circuit  selection  and  replacement  algorithm  which  prevent  the  rule  set  from  converging 
and  to  determine  their  effectiveness  in  the  realm  of  software  obfuscation.  This  goal  is 
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met  when  the  cause  of  critical  overlaps  within  the  rule  set  is  identified  and  related  to 
the  obfuscating  transformations  of  instruction-substitution  algorithms. 

The  primary  goal  of  this  research  effort  was  accomplished  by  determining  that 
it  is  not  possible  to  prove  that  a  malware  detector  based  upon  the  mechanisms  of  term 
rewriting  theory  cannot  perfectly  normalize  circuits  transformed  by  a  sub-circuit  se¬ 
lection  and  replacement  algorithm,  even  when  the  transformation  rule  set  is  previously 
known.  While  the  Knuth-Bendix  completion  procedure  is  not  able  to  complete  the 
rule  sets  generated  by  the  sub-circuit  selection  and  replacement  algorithm,  there  may 
be  other  completion  procedures  which  would  terminate  and  complete  the  rule  sets. 

The  secondary  goal  of  this  research  effort  is  accomplished  through  an  analysis 
of  the  critical  overlaps  found  within  the  rewrite  rules  in  Tables  6-8  and  13-14.  As  the 
rewrite  rules  contain  properties  that  prevent  the  Knuth-Bendix  completion  procedure 
from  succesfully  converging  the  rule  set,  these  properties  can  also  be  used  in  the 
realm  of  software  obfuscation.  Also,  this  research  has  determined  that  it  may  be 
possible  to  dynamically  create  transformation  rules  which  would  prevent  an  attacker 
from  completing  the  rule  set  (if  it  was  possible)  with  a  different  completion  procedure 
for  a  certain  acceptable  amount  of  time.  Therefore,  this  research  effort  successfully 
accomplishes  both  research  goals  through  an  analysis  of  the  data  collected  through 
experimentation. 
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Appendix  A.  Circuit  Family  Counts 
1  GATE  BASIS  (the  1-1  family  is  the  Genocchi  Medians  divided  by  2n_1). 


Table  A.l:  The  number  of  sub-circuits  containing  1,  2, 
3,  and  4  gates 


1  Gate 

2  Gates 

3  Gates 

4  Gates 

1  In.  -  1  Out. 

1 

2 

7 

38 

1  In.  -  2  Out. 

3 

15 

111 

1  In.  -  3  Out. 

18 

162 

1  In.  -  4  Out. 

180 

1  In.  -  5  Out. 

2  In.  -  1  Out. 

3 

9 

45 

333 

2  In.  -  2  Out. 

18 

126 

1,242 

2  In.  -  3  Out. 

180 

2,160 

2  In.  -  4  Out. 

2,700 

2  In.  -  5  Out. 

3  In.  -  1  Out. 

6 

24 

156 

1,464 

3  In.  -  2  Out. 

60 

540 

6, 660 

3  In.  -  3  Out. 

900 

13,500 

3  In.  -  4  Out. 

18,900 

3  In.  -  5  Out. 

4  In.  -  1  Out. 

10 

50 

400 

4,550 

4  In.  -  2  Out. 

150 

1,650 

24,450 

4  In.  -  3  Out. 

3,150 

56, 700 

4  In.  -  4  Out. 

88,200 

4  In.  -  5  Out. 

5  In.  -  1  Out. 

15 

90 

855 

11,430 

5  In.  -  2  Out. 

315 

4,095 

70,875 
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Table  A.l  —  continued  from  previous  page 


1  Gate 

2  Gates 

3  Gates 

4  Gates 

5  In.  -  3  Out. 

8,820 

185,220 

5  In.  -  4  Out. 

317,520 

5  In.  -  5  Out. 

6  In.  -  1  Out. 

21 

147 

1,617 

24, 843 

6  In.  -  2  Out. 

588 

8,820 

174,636 

6  In.  -  3  Out. 

21,168 

508,032 

6  In.  -  4  Out. 

952,560 

6  In.  -  5  Out. 

7  In.  -  1  Out. 

28 

224 

2,800 

48,608 

7  In.  -  2  Out. 

1,008 

17, 136 

382,032 

7  In.  -  3  Out. 

45,360 

1,224,720 

7  In.  -  4  Out. 

2,494,800 

7  In.  -  5  Out. 

8  In.  -  1  Out. 

36 

324 

4,536 

87,804 

8  In.  -  2  Out. 

1,620 

30, 780 

763,020 

8  In.  -  3  Out. 

89,100 

2,673,000 

8  In.  -  4  Out. 

5,880,600 

8  In.  -  5  Out. 

9  In.  -  1  Out. 

45 

450 

6,975 

148,950 

9  In.  -  2  Out. 

2,475 

51,975 

1,418,175 

9  In.  -  3  Out. 

163,350 

5,390,550 

9  In.  -  4  Out. 

12,741,300 

9  In.  -  5  Out. 

10  In.  -  1  Out. 

55 

605 

10,285 

240, 185 

10  In.  -  2  Out. 

3,630 

83,490 

2,486,550 

10  In.  -  3  Out. 

283, 140 

10,193,040 
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Table  A.l  —  continued  from  previous  page 


1  Gate 

2  Gates 

3  Gates 

4  Gates 

10  In.  -  4  Out. 

25, 765, 740 

10  In.  -  5  Out. 

Table  A. 2:  The  number  of  sub-circuits  containing  5  and 
6  gates 


5  Gates 

6  Gates 

1  In.  -  1  Out. 

295 

3,098 

1  In.  -  2  Out. 

1,131 

15,123 

1  In.  -  3  Out. 

1,998 

32,022 

1  In.  -  4  Out. 

2,520 

46,080 

1  In.  -  5  Out. 

2,700 

54, 000 

2  In.  -  1  Out. 

3,393 

45,369 

2  In.  -  2  Out. 

16,254 

271,458 

2  In.  -  3  Out. 

34,020 

675,540 

2  In.  -  4  Out. 

48,600 

1,101,600 

2  In.  -  5  Out. 

56, 700 

1,417,500 

3  In.  -  1  Out. 

18,516 

301,704 

3  In.  -  2  Out. 

106, 740 

2,145,060 

3  In.  -  3  Out. 

259,200 

6,156,000 

3  In.  -  4  Out. 

415,800 

11,264,400 

3  In.  -  5  Out. 

529,200 

15,876,000 

4  In.  -  1  Out. 

68,800 

1,323,950 

4  In.  -  2  Out. 

464, 250 

10,921,650 

4  In.  -  3  Out. 

1,285,200 

35,569,800 
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Table  A. 2  continued  from  previous  page 


5  Gates 

6  Gates 

4  In.  -  4  Out. 

2,293,200 

72,324,000 

4  In.  -  5  Out. 

3,175,200 

111,132,000 

5  In.  -  1  Out. 

201,195 

4,468,050 

5  In.  -  2  Out. 

1,556,415 

41,983,515 

5  In.  -  3  Out. 

4,842,180 

153,124,020 

5  In.  -  4  Out. 

9,525,600 

342,921,600 

5  In.  -  5  Out. 

14,288,400 

571,536,000 

6  In.  -  1  Out. 

499,065 

12,566,883 

6  In.  -  2  Out. 

4,355,316 

132,559,308 

6  In.  -  3  Out. 

15,050,448 

535,529,232 

6  In.  -  4  Out. 

32,387,040 

1,310,722,560 

6  In.  -  5  Out. 

52,390,800 

2,357,586,000 

7  In.  -  1  Out. 

1,097,488 

30,905,504 

7  In.  -  2  Out. 

10,667,664 

361,701,648 

7  In.  -  3  Out. 

40,551,840 

1,603,838,880 

7  In.  -  4  Out. 

94,802,400 

4,261,118,400 

7  In.  -  5  Out. 

164,656,800 

8,232,840,000 

8  In.  -  1  Out. 

2,201,256 

68,555,484 

8  In.  -  2  Out. 

23,585,580 

881,686,620 

8  In.  -  3  Out. 

97,831,800 

4,258,089,000 

8  In.  -  4  Out. 

246,985,200 

12,208,125,600 

8  In.  -  5  Out. 

458,686,800 

25,227,  774,000 

9  In.  -  1  Out. 

4,105,575 

140,125,050 

9  In.  -  2  Out. 

48,076,875 

1,964,558,475 

9  In.  -  3  Out. 

216,112,050 

10,266,057,450 

9  In.  -  4  Out. 

586,099,800 

31,598,424,000 
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Table  A. 2  continued  from  previous  page 


5  Gates 

6  Gates 

9  In.  -  5  Out. 

1,159,458,300 

69,567,498,000 

10  In.  -  1  Out. 

7,219,465 

267,981,725 

10  In.  -  2  Out. 

91,733,730 

4,068,072,030 

10  In.  -  3  Out. 

444,246,660 

22,872,332,340 

10  In.  -  4  Out. 

1,288,287,000 

75,235,960,800 

10  In.  -  5  Out. 

2,705,402,700 

175,851,175,500 

Table  A. 3:  The  number  of  sub-circuits  containing  7  and 
8  gates 


7  Gates 

8  Gates 

1  In.  -  1  Out. 

42,271 

726, 734 

1  In.  -  2  Out. 

256,335 

5,364,471 

1  In.  -  3  Out. 

643,518 

15, 797, 862 

1  In.  -  4  Out. 

1,055,520 

29,432,880 

1  In.  -  5  Out. 

1,363,500 

42,012,000 

2  In.  -  1  Out. 

769,005 

16,093,413 

2  In.  -  2  Out. 

5,620,806 

141,116,202 

2  In.  -  3  Out. 

16,441,380 

480,124,260 

2  In.  -  4  Out. 

30,488,400 

1,007,607,600 

2  In.  -  5  Out. 

43,375,500 

1,584,481,500 

3  In.  -  1  Out. 

6,133,476 

151,845,144 

3  In.  -  2  Out. 

52,659,540 

1,547,754,660 

3  In.  -  3  Out. 

176,482,800 

5,994,356,400 

3  In.  -  4  Out. 

366,357,600 

14,037,710,400 
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Table  A. 3  continued  from  previous  page 


7  Gates 

8  Gates 

3  In.  -  5  Out. 

571,536,000 

24,195,024,000 

4  In.  -  1  Out. 

31,441,000 

900,414,950 

4  In.  -  2  Out. 

310,618,650 

10,480,182,450 

4  In.  -  3  Out. 

1,175,542,200 

45,605,359,800 

4  In.  -  4  Out. 

2,705,976,000 

118,110,384,000 

4  In.  -  5  Out. 

4,604,040,000 

221,867,100,000 

5  In.  -  1  Out. 

121,482,495 

3,954,428,190 

5  In.  -  2  Out. 

1,358,636,895 

51,800,283,675 

5  In.  -  3  Out. 

5,736,078,180 

250,476,366,420 

5  In.  -  4  Out. 

14,517,014,400 

711,619,473,600 

5  In.  -  5  Out. 

26,790,750,000 

1,448,843,760,000 

6  In.  -  1  Out. 

385,111,041 

14,050,856,379 

6  In.  -  2  Out. 

4,811,989,140 

204,699,391,596 

6  In.  -  3  Out. 

22,434,502,608 

1,089,574,515,792 

6  In.  -  4  Out. 

61,958,312,640 

3,371,715,668,160 

6  In.  -  5  Out. 

123,380,334,000 

7,402,034,178,000 

7  In.  -  1  Out. 

1,054,199,440 

42,624,538,208 

7  In.  -  2  Out. 

14,559,579,216 

683,866,611,792 

7  In.  -  3  Out. 

74,319,003,360 

3,975,100,103,520 

7  In.  -  4  Out. 

222,516,201,600 

13,314,967, 142,400 

7  In.  -  5  Out. 

475,858,152,000 

31,370,413,536,000 

8  In.  -  1  Out. 

2,576,504,376 

114,373,655,964 

8  In.  -  2  Out. 

38,983,386,780 

2,004,290,035,020 

8  In.  -  3  Out. 

216,286,864,200 

12,635,838,210,600 

8  In.  -  4  Out. 

698,050,742,400 

45,562,982,889,600 

8  In.  -  5  Out. 

1,596,230,064,000 

114,715,275,246,000 
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Table  A. 3  continued  from  previous  page 


7  Gates 

8  Gates 

9  In.  -  1  Out. 

5,753,550,375 

278,220,779,550 

9  In.  -  2  Out. 

94,658,109,975 

5,288,297,585,175 

9  In.  -  3  Out. 

567,282,370,050 

35,947, 141,911,450 

9  In.  -  4  Out. 

1,963,689,156,000 

138,864,625,614,000 

9  In.  -  5  Out. 

4,782,765,487,500 

372,186,114,300,000 

10  In.  -  1  Out. 

11,936,234,365 

624,591,267,905 

10  In.  -  2  Out. 

212,175,834,090 

12,800,169,906,150 

10  In.  -  3  Out. 

1,366,107,  745,860 

93,334,292,534,340 

10  In.  -  4  Out. 

5,049,569,725,200 

384,621,175,738,800 

10  In.  -  5  Out. 

13,053,568,027,500 

1,093,591,406,407,500 
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6  GATE  BASIS  (Same  as  1  gate  basis,  but  multiplied  by  6n  where  n  is  the 
number  of  gates): 


Table  A. 4:  The  number  of  sub-circuits  containing  1,  2, 
3,  and  4  gates 


1  Gate 

2  Gates 

3  Gates 

4  Gates 

1  In.  -  1  Out. 

6 

72 

1,512 

49, 248 

1  In.  -  2  Out. 

108 

3,240 

143, 856 

1  In.  -  3  Out. 

3,888 

209, 952 

1  In.  -  4  Out. 

233, 280 

1  In.  -  5  Out. 

2  In.  -  1  Out. 

18 

324 

9,720 

431,568 

2  In.  -  2  Out. 

648 

27,216 

1,609,632 

2  In.  -  3  Out. 

38,880 

2,799,360 

2  In.  -  4  Out. 

3,499,200 

2  In.  -  5  Out. 

3  In.  -  1  Out. 

36 

864 

33,696 

1,897,344 

3  In.  -  2  Out. 

2,160 

116,640 

8,631,360 

3  In.  -  3  Out. 

194,400 

17,496,000 

3  In.  -  4  Out. 

24,494,400 

3  In.  -  5  Out. 

4  In.  -  1  Out. 

60 

1,800 

86,400 

5,896,800 

4  In.  -  2  Out. 

5,400 

356,400 

31,687,200 

4  In.  -  3  Out. 

680,400 

73,483,200 

4  In.  -  4  Out. 

114,307,200 

4  In.  -  5  Out. 

5  In.  -  1  Out. 

90 

3,240 

184,680 

14,813,280 

5  In.  -  2  Out. 

11,340 

884, 520 

91,854,000 
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Table  A. 4  —  continued  from  previous  page 


1  Gate 

2  Gates 

3  Gates 

4  Gates 

5  In.  -  3  Out. 

1,905,120 

240, 045, 120 

5  In.  -  4  Out. 

411,505,920 

5  In.  -  5  Out. 

6  In.  -  1  Out. 

126 

5,292 

349, 272 

32,196,528 

6  In.  -  2  Out. 

21,168 

1,905,120 

226,328,256 

6  In.  -  3  Out. 

4,572,288 

658,409,472 

6  In.  -  4  Out. 

1,234,517,760 

6  In.  -  5  Out. 

7  In.  -  1  Out. 

168 

8,064 

604, 800 

62,995,968 

7  In.  -  2  Out. 

36,288 

3,701,376 

495,113,472 

7  In.  -  3  Out. 

9,  797,  760 

1,587,237,120 

7  In.  -  4  Out. 

3,233,260,800 

7  In.  -  5  Out. 

8  In.  -  1  Out. 

216 

11,664 

979,  776 

113,793,984 

8  In.  -  2  Out. 

58,320 

6,648,480 

988,873,920 

8  In.  -  3  Out. 

19,245,600 

3,464,208,000 

8  In.  -  4  Out. 

7,621,257,600 

8  In.  -  5  Out. 

9  In.  -  1  Out. 

270 

16,200 

1,506,600 

193,039,200 

9  In.  -  2  Out. 

89,100 

11,226,600 

1,837,954,800 

9  In.  -  3  Out. 

35,283,600 

6,986,152,800 

9  In.  -  4  Out. 

16,512,724,800 

9  In.  -  5  Out. 

10  In.  -  1  Out. 

330 

21,780 

2,221,560 

311,279,760 

10  In.  -  2  Out. 

130,680 

18,033,840 

3,222,568,800 

10  In.  -  3  Out. 

61,158,240 

13,210,179,840 
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Table  A. 4  —  continued  from  previous  page 


1  Gate 

2  Gates 

3  Gates 

4  Gates 

10  In.  -  4  Out. 

33,392,399,040 

10  In.  -  5  Out. 

Table  A. 5:  The  number  of  sub-circuits  containing  5  and 
6  gates 


5  Gates 

6  Gates 

1  In.  -  1  Out. 

2,293,920 

144,540,288 

1  In.  -  2  Out. 

8,794,656 

705,578,688 

1  In.  -  3  Out. 

15,536,448 

1,494,018,432 

1  In.  -  4  Out. 

19,595,520 

2,149,908,480 

1  In.  -  5  Out. 

20,995,200 

2,519,424,000 

2  In.  -  1  Out. 

26,383,968 

2,116,736,064 

2  In.  -  2  Out. 

126,391,104 

12,665,144,448 

2  In.  -  3  Out. 

264,539,520 

31,517,994,240 

2  In.  -  4  Out. 

377,913,600 

51,396,249,600 

2  In.  -  5  Out. 

440,899,200 

66,134,880,000 

3  In.  -  1  Out. 

143,980,416 

14,076,301,824 

3  In.  -  2  Out. 

830,010,240 

100,079,919,360 

3  In.  -  3  Out. 

2,015,539,200 

287,214,336,000 

3  In.  -  4  Out. 

3,233,260,800 

525,551,846,400 

3  In.  -  5  Out. 

4,115,059,200 

740,710,656,000 

4  In.  -  1  Out. 

534,988,800 

61,770,211,200 

4  In.  -  2  Out. 

3,610,008,000 

509,560,502,400 

4  In.  -  3  Out. 

9,993,715,200 

1,659,544,588,800 
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Table  A. 5  —  continued  from  previous  page 


5  Gates 

6  Gates 

4  In.  -  4  Out. 

17,831,923,200 

3,374,348,544,000 

4  In.  -  5  Out. 

24,690,355,200 

5,184,974,592,000 

5  In.  -  1  Out. 

1,564,492,320 

208,461,340,800 

5  In.  -  2  Out. 

12,102,683,040 

1,958,782,875,840 

5  In.  -  3  Out. 

37,652,791,680 

7, 144,154,277,120 

5  In.  -  4  Out. 

74,071,065,600 

15,999,350,169,600 

5  In.  -  5  Out. 

111,106,598,400 

26,665,583,616,000 

6  In.  -  1  Out. 

3,880,729,440 

586,320,493,248 

6  In.  -  2  Out. 

33,866,937,216 

6,184,687,074,048 

6  In.  -  3  Out. 

117,032,283,648 

24,985,651,848,192 

6  In.  -  4  Out. 

251,841,623,040 

61,153,071,759,360 

6  In.  -  5  Out. 

407,390,860,800 

109,995,532,416,000 

7  In.  -  1  Out. 

8,534,066,688 

1,441,927,194,624 

7  In.  -  2  Out. 

82,951,755,264 

16,875,552,089,088 

7  In.  -  3  Out. 

315,331,107,840 

74, 828, 706, 785, 280 

7  In.  -  4  Out. 

737,183,462,400 

198,806,740,070,400 

7  In.  -  5  Out. 

1,280,371,276,800 

384,111,383,040,000 

8  In.  -  1  Out. 

17,116,966,656 

3,198,524,661,504 

8  In.  -  2  Out. 

183,401,470,080 

41,135,970,942,720 

8  In.  -  3  Out. 

760,740,076,800 

198,665,400,384,000 

8  In.  -  4  Out. 

1,920,556,915,200 

569,582,307,993,600 

8  In.  -  5  Out. 

3,566,748,556,800 

1,177,027,023,744,000 

9  In.  -  1  Out. 

31,924,951,200 

6,537,674,332,800 

9  In.  -  2  Out. 

373,845,780,000 

91,658,440,209,600 

9  In.  -  3  Out. 

1,680,487,300,800 

478,973,176,387,200 

9  In.  -  4  Out. 

4,557,512,044,800 

1,474,256,070,144,000 
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Table  A. 5  —  continued  from  previous  page 


5  Gates 

6  Gates 

9  In.  -  5  Out. 

9,015,947,  740,800 

3,245,741,186,688,000 

10  In.  -  1  Out. 

56,138,559,840 

12,502,955,361,600 

10  In.  -  2  Out. 

713,321,484,480 

189,799,968,631,680 

10  In.  -  3  Out. 

3,454,462,028,160 

1,067,131,537,655,040 

10  In.  -  4  Out. 

10,017,719,712,000 

3,510,208,987,084,800 

10  In.  -  5  Out. 

21,037,211,395,200 

8,204,512,444,128,000 

Table  A. 6:  The  number  of  sub-circuits  containing  7  and 
8  gates 


7  Gates 

8  Gates 

1  In.  -  1  Out. 

11,833,174,656 

1,220,634,054,144 

1  In.  -  2  Out. 

71,757,394,560 

9,010,251,323,136 

1  In.  -  3  Out. 

180,143,854,848 

26,534,341,780,992 

1  In.  -  4  Out. 

295,478,046,720 

49,435,936,174,080 

1  In.  -  5  Out. 

381,692,736,000 

70,564,027,392,000 

2  In.  -  1  Out. 

215,272,183,680 

27,030,753,969,408 

2  In.  -  2  Out. 

1,573,465,948,416 

237,021,030,738,432 

2  In.  -  3  Out. 

4,602,534,151,680 

806,424,389,084,160 

2  In.  -  4  Out. 

8,534,800,742,400 

1,692,393,846,681,600 

2  In.  -  5  Out. 

12,142,363,968,000 

2,661,320,479,104,000 

3  In.  -  1  Out. 

1,716,980,737,536 

255,041,533,384,704 

3  In.  -  2  Out. 

14,741,300,989,440 

2,599,633,491,010,560 

3  In.  -  3  Out. 

49,403,889,100,800 

10,068,216,919,142,400 

3  In.  -  4  Out. 

102,556,681,113,600 

23,577,962,991,206,400 
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Table  A. 6  —  continued  from  previous  page 


7  Gates 

8  Gates 

3  In.  -  5  Out. 

159,993,501,696,000 

40,638,349,430,784,000 

4  In.  -  1  Out. 

8,801,467,  776,000 

1,512,351,356,659,200 

4  In.  -  2  Out. 

86,953,342,406,400 

17,602,682,125,939,200 

4  In.  -  3  Out. 

329,076,581,299,200 

76,599,492,005,836,800 

4  In.  -  4  Out. 

757,500,097,536,000 

198,380,090,732,544,000 

4  In.  -  5  Out. 

1,288,836,541,440,000 

372,651,531,033,600,000 

5  In.  -  1  Out. 

34,007,323,720,320 

6,641,920,858,775,040 

5  In.  -  2  Out. 

380,331,377,838,720 

87,004,585,265,068,800 

5  In.  -  3  Out. 

1,605,734,781,396,480 

420,704,112,660,895,000 

5  In.  -  4  Out. 

4,063,834,943,078,400 

1,195,247,453,770,140,000 

5  In.  -  5  Out. 

7,499,695,392,000,000 

2,433,501,160,796,160,000 

6  In.  -  1  Out. 

107,806,444,373,376 

23,600,043,187,870,500 

6  In.  -  2  Out. 

1,347,048,991,895,040 

343,816,373,314,907,000 

6  In.  -  3  Out. 

6,280,224,922,073,090 

1,830,066,789,916,500,000 

6  In.  -  4  Out. 

17,344,362,207, 191,000 

5,663,187,583,692,230,000 

6  In.  -  5  Out. 

34,538,597,178,624,000 

12,432,575,037,915,600,000 

7  In.  -  1  Out. 

295,108,374,435,840 

71,592,856,366,768,100 

7  In.  -  2  Out. 

4,075,750,367,410,180 

1,148,633,303,031,630,000 

7  In.  -  3  Out. 

20,804,564,524,585,000 

6,676,641,735,473,850,000 

7  In.  -  4  Out. 

62,290,295,411,097,600 

22,364,031,851,849,300,000 

7  In.  -  5  Out. 

133,209,827,638,272,000 

52,690,248,501,682,200,000 

8  In.  -  1  Out. 

721,256,328,999,936 

192,103,822,535,630,000 

8  In.  -  2  Out. 

10,912,853,361,646,100 

3,366,437,611,460,150,000 

8  In.  -  3  Out. 

60,546,479,616,691,200 

21,223,356,031,935,100,000 

8  In.  -  4  Out. 

195,409,532,624,486,000 

76,528,315,069,098,400,000 

8  In.  -  5  Out. 

446,842,259,195,904,000 

192, 677, 611,  747, 586, 000,  000 
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Table  A. 6  —  continued  from  previous  page 


7  Gates 

8  Gates 

9  In.  -  1  Out. 

1,610,625,877,  776,000 

467,304,072,864,653,000 

9  In.  -  2  Out. 

26,498,212,673,961,600 

8,882,309,236,821,290,000 

9  In.  -  3  Out. 

158,802,757,542,317,000 

60, 377, 394, 708, 742, 000,  000 

9  In.  -  4  Out. 

549,707,287,574,016,000 

233, 239, 247, 015, 284, 000, 000 

9  In.  -  5  Out. 

1,338,868,239,508,800,000 

625, 129, 752, 556, 109, 000, 000 

10  In.  -  1  Out. 

3,341,381,703,200,640 

1,049,073,487,033,520,000 

10  In.  -  2  Out. 

59,395,654,291,818,200 

21,499,370,177,088,000,000 

10  In.  -  3  Out. 

382,422,737,945,065,000 

156, 765, 771, 089, 358, 000, 000 

10  In.  -  4  Out. 

1,413,556,350,593,590,000 

646, 015, 880, 709, 700, 000, 000 

10  In.  -  5  Out. 

3,654,163,619,346,240,000 

1, 836, 813, 623, 664, 540, 000, 000 
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Appendix  B.  Circuit  Rewrite  Rules 


This  is  the  table  of  rewrite  rules  used  by  a  sub-circuit  selection  and  replacement 
algorithm  selecting  sub-circuits  containing  one  gate  and  replacing  them  with 
sub-circuits  containing  two  gates: 


Table  B.l:  Circuit  Transformation  Rules 


Rule 

Label 

k  — >  Ti 

Reorient? 

M1 

0  =  AND (-1 ,  -1)  ->  0  =  NORC-l,  -1) 

1  =  N0R(0,  0) 

y 

m2 

0  =  AND (-1 ,  -1)  ->  0  =  NORC-l,  -1) 

1  =  NANDCO,  0) 

y 

M3 

0  =  ANDC-1,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  AND  CO,  -1) 

y 

m4 

0  =  ANDC-1,  -1)  ->  0  =  NANDC-l,  -1) 

1  =  NORCO,  0) 

y 

m5 

0  =  ANDC-1,  -1)  ->  0  =  NANDC-l,  -1) 

1  =  NANDCO,  0) 

y 

m6 

0  =  ANDC-1,  -1)  ->  0  =  ANDC-1,  -1) 

1  =  0RC0,  -1) 

y 

m7 

0  =  ANDC-1,  -1)  ->  0  =  ANDC-1,  -1) 

1  =  AND  CO,  0) 

y 

Ms 

0  =  ANDC-1,  -1)  ->  0  =  ANDC-1,  -1) 

1  =  0RC0,  0) 

y 

M9 

0  =  ANDC-1,  -1)  ->  0  =  NX0RC-1,  -1) 

1  =  AND  CO,  -1) 

y 
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Table  B.l  —  continued  from  previous  page 


Rule 

Label 

*  ^*2 

Reorient? 

M\q 

0  =  AND (-1 ,  -1)  ->  0  =  NXORC-l,  -1) 

1  =  NX0R(0 ,  -1) 

y 

Mu 

0  =  AND (-1 ,  -1)  ->  0  =  QR(-1,  -1) 

1  =  AND(0,  -1) 

y 

M 1 2 

0  =  AND (-1 ,  -1)  ->  0  =  0R(-1,  -1) 

1  =  0R(0,  -1) 

y 

M\;i 

0  =  AND (-1 ,  -1)  ->  0  =  0R(-1,  -1) 

1  =  AND(0,  0) 

y 

M\4 

0  =  AND (-1 ,  -1)  ->  0  =  0R(-1,  -1) 

1  =  0R(0 ,  0) 

y 

m15 

0  =  AND (-1 ,  -1)  ->  0  =  X0R(-1,  -1) 

1  =  X0R(0 ,  -1) 

y 

Mi6 

0  =  AND (-1 ,  -1)  ->  0  =  X0R(-1,  -1) 

1  =  0R(0 ,  -1) 

y 

Mu 

0  =  N0R(-1,  -1)  ->  0  =  N0R(-1,  -1) 

1  =  AND(0,  0) 

y 

Mis 

0  =  N0R(-1,  -1)  0  =  N0R(-1,  -1) 

1  =  0R(0 ,  0) 

y 

Mig 

0  =  N0R(-1,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  NORCO,  -1) 

y 

M20 

0  =  N0RC-1,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  NANDCO,  -1) 

y 

M2 1 

0  =  N0RC-1,  -1)  ->  0  =  NANDC-l,  -1) 

1  =  ANDCO,  0) 

y 
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Table  B.l  —  continued  from  previous  page 


Rule 

Label 

li  * 

Reorient? 

M22 

0  =  N0R(-1,  -1)  ->  0  =  NANDC-l,  -1) 

1  =  0R(0 ,  0) 

y 

M23 

0  =  N0R(-1,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  NORCO,  0) 

y 

A^24 

0  =  NORC-l,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  NANDCO,  0) 

y 

M25 

0  =  NORC-l,  -1)  ->  0  =  NXORC-l,  -1) 

1  =  NANDCO,  -1) 

y 

M2Q 

0  =  NORC-l,  -1)  ->  0  =  NXORC-l,  -1) 

1  =  XORCO,  -1) 

y 

M27 

0  =  NORC-l,  -1)  ->  0  =  ORC-1,  -1) 

1  =  NORCO,  -1) 

y 

to 

00 

0  =  NORC-l,  -1)  ->  0  =  ORC-1,  -1) 

1  =  NANDCO,  -1) 

y 

M29 

0  =  NORC-l,  -1)  ->  0  =  ORC-1,  -1) 

1  =  NORCO,  0) 

y 

CO 

O 

0  =  NORC-l,  -1)  -+  0  =  ORC-1,  -1) 

1  =  NANDCO,  0) 

y 

M31 

0  =  NORC-l,  -1)  ->  0  =  XORC-1,  -1) 

1  =  NORCO,  -1) 

y 

M32 

0  =  NORC-l,  -1)  ->  0  =  XORC-1,  -1) 

1  =  NXORCO,  -1) 

y 

M33 

0  =  NANDC-l,  -1)  ->  0  =  NORC-l,  -1) 

1  =  AND  CO,  0) 

y 
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Rule 

Label 

li  *  ^*2 

Reorient? 

s; 

CO 

0  =  NANDC-l,  -1)  ->  0  =  NORC-l,  -1) 

1  =  0R(0 ,  0) 

y 

m35 

0  =  NAND(-1,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  NORCO,  -1) 

y 

M36 

0  =  NANDC-l,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  NANDCO,  -1) 

y 

M37 

0  =  NANDC-l,  -1)  ->  0  =  NANDC-l ,  -1) 

1  =  AND  CO,  0) 

y 

CO 

00 

0  =  NANDC-l,  -1)  ->  0  =  NANDC-l ,  -1) 

1  =  ORCO,  0) 

y 

M3g 

0  =  NANDC-l,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  NORCO,  0) 

y 

M40 

0  =  NANDC-l,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  NANDCO,  0) 

y 

M41 

0  =  NANDC-l,  -1)  ->  0  =  NXORC-l,  -1) 

1  =  NANDCO,  -1) 

y 

M42 

0  =  NANDC-l,  -1)  -+  0  =  NXORC-l,  -1) 

1  =  XORCO,  -1) 

y 

CO 

0  =  NANDC-l,  -1)  ->  0  =  ORC-1,  -1) 

1  =  NORCO,  -1) 

y 

A?44 

0  =  NANDC-l,  -1)  ->  0  =  ORC-1,  -1) 

1  =  NANDCO,  -1) 

y 

M45 

0  =  NANDC-l,  -1)  ->  0  =  ORC-1,  -1) 

1  =  NORCO,  0) 

y 

74 


Table  B.l  —  continued  from  previous  page 


Rule 

Label 

li  *  ^*2 
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m46 

0  =  NANDC-l,  -1)  ->  0  =  QR(-1,  -1) 

1  =  NANDCO,  0) 

y 

A/47 

0  =  NAND(-1,  -1)  ->  0  =  XORC-l,  -1) 

1  =  NORCO,  -1) 

y 

s' 

00 

0  =  NANDC-l,  -1)  ->  0  =  XORC-l,  -1) 

1  =  NXORCO,  -1) 

y 

M49 

0  =  NXORC-1,  -1)  ->  0  =  NORC-1,  -1) 

1  =  NANDCO,  -1) 

y 

M50 

0  =  NXORC-1,  -1)  ->  0  =  NORC-1,  -1) 

1  =  XORCO,  -1) 

y 

m51 

0  =  NXORC-1,  -1)  ->  0  =  NORC-1,  -1) 

1  =  ORCO,  -1) 

y 

m52 

0  =  NXORC-1,  -1)  ->  0  =  NORC-1,  -1) 

1  =  NXORCO,  0) 

y 

m53 

0  =  NXORC-1 ,  -1)  ->  0  =  NANDC-l ,  -1) 

1  =  NANDCO,  -1) 

y 

M54 

0  =  NXORC-1 ,  -1)  -+  0  =  NANDC-l ,  -1) 

1  =  XORCO,  -1) 

y 

0  =  NXORC-1 ,  -1)  ->  0  =  NANDC-l ,  -1) 

1  =  ORCO,  -1) 

y 

M56 

0  =  NXORC-1,  -1)  ->  0  =  NAND(-1 ,  -1) 

1  =  NXORCO,  0) 

y 

M57 

0  =  NXORC-1,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  NXORCO,  -1) 

y 
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00 

0  =  NX0R(-1,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  NXORCO,  0) 

y 

M59 

0  =  NX0R(-1,  -1)  ->  0  =  NXORC-l,  -1) 

1  =  ORCO,  -1) 

y 

Mm 

0  =  NXORC-l,  -1)  ->  0  =  NXORC-l ,  -1) 

1  =  AND  CO,  0) 

y 

Mqi 

0  =  NXORC-l,  -1)  ->  0  =  NXORC-l ,  -1) 

1  =  NXORCO,  0) 

y 

Mq2 

0  =  NX0R(-1 ,  -1)  ->  0  =  NXORC-l ,  -1) 

1  =  ORCO,  0) 

y 

Mq3 

0  =  NXORC-l,  -1)  ->  0  =  ORC-1,  -1) 

1  =  NXORCO,  -1) 

y 

Mq  4 

0  =  NXORC-l,  -1)  ->  0  =  ORC-1,  -1) 

1  =  NXORCO,  0) 

y 

m65 

0  =  NXORC-l,  -1)  ->  0  =  XORC-1,  -1) 

1  =  NANDCO,  -1) 

y 

m66 

0  =  NXORC-l,  -1)  -+  0  =  XORC-1,  -1) 

1  =  NORCO,  0) 

y 

m67 

0  =  NXORC-l,  -1)  ->  0  =  XORC-1,  -1) 

1  =  NANDCO,  0) 

y 

00 

0  =  NXORC-l,  -1)  ->  0  =  XORC-1,  -1) 

1  =  NXORCO,  0) 

y 

Mm 

0  =  XORC-1,  -1)  ->  0  =  NORC-1,  -1) 

1  =  AND  CO,  -1) 

y 
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M70 

0  =  XORC-l,  -1)  ->  0  =  NORC-l,  -1) 

1  =  NORCO,  -1) 

y 

M71 

0  =  XORC-l,  -1)  ->  0  =  NORC-l,  -1) 

1  =  NXORCO,  -1) 

y 

to 

0  =  XORC-l,  -1)  ->  0  =  NORC-l,  -1) 

1  =  XORCO,  0) 

y 

M73 

0  =  XORC-l,  -1)  ->  0  =  NANDC-l,  -1) 

1  =  AND  CO,  -1) 

y 

M74 

0  =  XORC-l,  -1)  ->  0  =  NANDC-l,  -1) 

1  =  NORCO,  -1) 

y 

M75 

0  =  XORC-l,  -1)  ->  0  =  NAND(-1 ,  -1) 

1  =  NXORCO,  -1) 

y 

M76 

0  =  XORC-l,  -1)  ->  0  =  NANDC-l ,  -1) 

1  =  XORCO,  0) 

y 

M77 

0  =  XORC-l,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  XORCO,  -1) 

y 

§ 

00 

0  =  XORC-l,  -1)  -+  0  =  AND (-1 ,  -1) 

1  =  XORCO,  0) 

y 

M79 

0  =  XORC-l,  -1)  ->  0  =  NXORC-l,  -1) 

1  =  NORCO,  -1) 

y 

00 

O 

0  =  XORC-l,  -1)  ->  0  =  NXORC-l,  -1) 

1  =  NORCO,  0) 

y 

M8i 

0  =  XORC-l,  -1)  ->  0  =  NXORC-l,  -1) 

1  =  NANDCO,  0) 

y 
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0  =  X0R(-1,  -1)  ->  0  =  NXORC-l,  -1) 

1  =  X0R(0 ,  0) 

y 

M83 

0  =  X0R(-1,  -1)  ->  0  =  QR(-1,  -1) 

1  =  X0R(0 ,  -1) 

y 

M84 

0  =  X0R(-1,  -1)  ->  0  =  0R(-1,  -1) 

1  =  X0R(0 ,  0) 

y 

M85 

0  =  X0R(-1,  -1)  ->  0  =  X0R(-1,  -1) 

1  =  AND  CO,  -1) 

y 

M86 

0  =  X0R(-1,  -1)  ->  0  =  X0R(-1,  -1) 

1  =  AND(0,  0) 

y 

Ms  7 

0  =  X0R(-1,  -1)  ->  0  =  X0R(-1,  -1) 

1  =  X0R(0 ,  0) 

y 

s; 

00^ 

00 

0  =  X0R(-1,  -1)  ->  0  =  X0R(-1,  -1) 

1  =  0R(0 ,  0) 

y 

Ms  9 

0  =  0R(-1,  -1)  ->  0  =  N0R(-1,  -1) 

1  =  NORCO,  0) 

y 

s; 

CO 

O 

0  =  0R(-1,  -1)  0  =  NORC-l,  -1) 

1  =  NANDCO,  0) 

y 

m91 

0  =  0R(-1,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  AND(0,  -1) 

y 

m92 

0  =  0R(-1,  -1)  ->  0  =  NANDC-l,  -1) 

1  =  NORCO,  0) 

y 

m93 

0  =  ORC-1,  -1)  ->  0  =  NANDC-l,  -1) 

1  =  NANDCO,  0) 

y 
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Mg  4 

0  =  0R(-1,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  0R(0 ,  -1) 

y 

m95 

0  =  0R(-1,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  AND(0,  0) 

y 

m96 

0  =  0R(-1,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  0R(0,  0) 

y 

M97 

0  =  0R(-1,  -1)  ->  0  =  NXORC-l,  -1) 

1  =  AND(0,  -1) 

y 

CD 

00 

0  =  0R(-1,  -1)  ->  0  =  NX0R(-1,  -1) 

1  =  NXORCO,  -1) 

y 

m99 

0  =  0R(-1,  -1)  ->  0  =  0R(-1,  -1) 

1  =  ANDCO,  -1) 

y 

Mioo 

0  =  0R(-1,  -1)  ->  0  =  0R(-1,  -1) 

1  =  0R(0,  -1) 

y 

Mioi 

0  =  0R(-1,  -1)  ->  0  =  0R(-1,  -1) 

1  =  ANDCO,  0) 

y 

Miq2 

0  =  ORC-1,  -1)  0  =  ORC-1,  -1) 

1  =  ORCO,  0) 

y 

Miq3 

0  =  ORC-1,  -1)  ->  0  =  XORC-1,  -1) 

1  =  XORCO,  -1) 

y 

M104 

0  =  ORC-1,  -1)  ->  0  =  XORC-1,  -1) 

1  =  ORCO,  -1) 

y 

m105 

0  =  ANDC-2,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  ANDCO,  -2) 

y 
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-^106 

0  =  AND (-2 ,  -1)  ->  0  =  0R(-1,  -1) 

1  =  AND(0,  -2) 

y 

M107 

0  =  AND (-2 ,  -1)  ->  0  =  AND (-2 ,  -1) 

1  =  AND(0,  -1) 

y 

A^108 

0  =  AND (-2 ,  -1)  ->  0  =  AND (-2 ,  -1) 

1  =  ANDCO,  -2) 

y 

0  =  AND (-2 ,  -1)  ->  0  =  AND (-2 ,  -1) 

1  =  ANDCO,  0) 

y 

Mno 

0  =  AND (-2 ,  -1)  ->  0  =  AND (-2 ,  -1) 

1  =  0R(0 ,  0) 

y 

Mm 

0  =  AND (-2 ,  -1)  ->  0  =  NAND(-2,  -1) 

1  =  NORCO,  0) 

y 

M112 

0  =  AND (-2 ,  -1)  ->  0  =  NANDC-2,  -1) 

1  =  NAND(0,  0) 

y 

M 1 1 3 

0  =  AND (-2 ,  -1)  ->  0  =  NXORC-2,  -1) 

1  =  ANDCO,  -1) 

y 

Mii4 

0  =  AND (-2 ,  -1)  0  =  NXORC-2,  -1) 

1  =  ANDCO,  -2) 

y 

m115 

0  =  AND (-2 ,  -1)  ->  0  =  ANDC-2,  -2) 

1  =  ANDCO,  -1) 

y 

0  =  ANDC-2,  -1)  ->  0  =  ORC-2,  -2) 

1  =  ANDCO,  -1) 

y 

Mh7 

0  =  NORC-2,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  NORCO,  -2) 

y 
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0  =  NORC-2,  -1)  ->  0  =  QR(-1,  -1) 

1  =  NORCO,  -2) 

y 

M\\g 

0  =  NORC-2,  -1)  ->  0  =  NORC-2,  -1) 

1  =  AND(0,  0) 

y 

0  =  NORC-2,  -1)  ->  0  =  NORC-2,  -1) 

1  =  0RC0,  0) 

y 

M\  2 1 

0  =  NORC-2,  -1)  ->  0  =  XORC-2,  -1) 

1  =  NORCO,  -1) 

y 

M\22 

0  =  NORC-2,  -1)  ->  0  =  XORC-2,  -1) 

1  =  NORCO,  -2) 

y 

M123 

0  =  NORC-2,  -1)  ->  0  =  ORC-2,  -1) 

1  =  NORCO,  -1) 

y 

Mi  24 

0  =  NORC-2,  -1)  ->  0  =  ORC-2,  -1) 

1  =  NORCO,  -2) 

y 

Mj  25 

0  =  NORC-2,  -1)  ->  0  =  ORC-2,  -1) 

1  =  NORCO,  0) 

y 

M\26 

0  =  NORC-2,  -1)  -+  0  =  ORC-2,  -1) 

1  =  NANDCO,  0) 

y 

M\27 

0  =  NORC-2,  -1)  ->  0  =  ANDC-2,  -2) 

1  =  NORCO,  -1) 

y 

Mi28 

0  =  NORC-2,  -1)  ->  0  =  ORC-2,  -2) 

1  =  NORCO,  -1) 

y 

M\29 

0  =  NANDC-2,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  NANDCO,  -2) 

y 
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Miso 

0  =  NANDC-2,  -1)  ->  0  =  QR(-1,  -1) 

1  =  NAND(0,  -2) 

y 

M\?a 

0  =  NAND(-2,  -1)  ->  0  =  ANDC-2,  -1) 

1  =  NANDCO,  -1) 

y 

Mi32 

0  =  NANDC-2,  -1)  ->  0  =  ANDC-2,  -1) 

1  =  NANDCO,  -2) 

y 

M133 

0  =  NANDC-2,  -1)  ->  0  =  ANDC-2,  -1) 

1  =  NORCO,  0) 

y 

M134 

0  =  NANDC-2,  -1)  ->  0  =  ANDC-2,  -1) 

1  =  NANDCO,  0) 

y 

m135 

0  =  NANDC-2,  -1)  ->  0  =  NAND(-2,  -1) 

1  =  AND  CO,  0) 

y 

M 1 36 

0  =  NANDC-2,  -1)  ->  0  =  NAND(-2,  -1) 

1  =  0RC0,  0) 

y 

M 1 37 

0  =  NANDC-2,  -1)  ->  0  =  NXORC-2,  -1) 

1  =  NANDCO,  -1) 

y 

Ml38 

0  =  NANDC-2,  -1)  0  =  NXORC-2,  -1) 

1  =  NANDCO,  -2) 

y 

Ml39 

0  =  NANDC-2,  -1)  ->  0  =  ANDC-2,  -2) 

1  =  NANDCO,  -1) 

y 

M140 

0  =  NANDC-2,  -1)  ->  0  =  ORC-2,  -2) 

1  =  NANDCO,  -1) 

y 

M141 

0  =  NXORC-2,  -1)  ->  0  =  N0RC-1,  -1) 

1  =  X0RC0,  -2) 

y 
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M142 

0  =  NXORC-2,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  NXORCO,  -2) 

y 

A^143 

0  =  NX0R(-2,  -1)  ->  0  =  NANDC-l,  -1) 

1  =  X0R(0,  -2) 

y 

M144 

0  =  NXORC-2,  -1)  ->  0  =  ORC-1,  -1) 

1  =  NXORCO,  -2) 

y 

-^145 

0  =  NXORC-2,  -1)  ->  0  =  XORC-2,  -1) 

1  =  NORCO,  0) 

y 

Muq 

0  =  NX0R(-2,  -1)  ->  0  =  XORC-2,  -1) 

1  =  NANDCO,  0) 

y 

M147 

0  =  NX0R(-2,  -1)  ->  0  =  NX0R(-2,  -1) 

1  =  AND  CO,  0) 

y 

M148 

0  =  NX0R(-2,  -1)  ->  0  =  NX0R(-2,  -1) 

1  =  0RC0,  0) 

y 

M149 

0  =  NX0R(-2,  -1)  ->  0  =  NORC-2,  -2) 

1  =  X0RC0,  -1) 

y 

M150 

0  =  NX0R(-2,  -1)  0  =  ANDC-2,  -2) 

1  =  NXORCO,  -1) 

y 

m151 

0  =  NX0R(-2,  -1)  ->  0  =  NANDC-2,  -2) 

1  =  X0RC0,  -1) 

y 

M15  2 

0  =  NX0R(-2,  -1)  ->  0  =  ORC-2,  -2) 

1  =  NXORCO,  -1) 

y 

m153 

0  =  XORC-2,  -1)  ->  0  =  NORC-1,  -1) 

1  =  NXORCO,  -2) 

y 
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-^154 

0  =  XORC-2,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  X0R(0 ,  -2) 

y 

A^155 

0  =  X0R(-2,  -1)  ->  0  =  NANDC-l,  -1) 

1  =  NX0R(0 ,  -2) 

y 

m156 

0  =  XORC-2,  -1)  ->  0  =  0R(-1,  -1) 

1  =  X0R(0 ,  -2) 

y 

M157 

0  =  XORC-2,  -1)  ->  0  =  XORC-2,  -1) 

1  =  AND  CO,  0) 

y 

m158 

0  =  X0R(-2,  -1)  ->  0  =  XORC-2,  -1) 

1  =  0R(0 ,  0) 

y 

m159 

0  =  X0R(-2,  -1)  ->  0  =  NXORC-2,  -1) 

1  =  NORCO,  0) 

y 

Mi60 

0  =  XORC-2,  -1)  ->  0  =  NXORC-2,  -1) 

1  =  NANDCO,  0) 

y 

Ml61 

0  =  XORC-2,  -1)  ->  0  =  NORC-2,  -2) 

1  =  NX0RC0,  -1) 

y 

M\q2 

0  =  XORC-2,  -1)  -+  0  =  ANDC-2,  -2) 

1  =  X0RC0,  -1) 

y 

Ml63 

0  =  XORC-2,  -1)  ->  0  =  NANDC-2,  -2) 

1  =  NX0RC0,  -1) 

y 

A^164 

0  =  XORC-2,  -1)  ->  0  =  ORC-2,  -2) 

1  =  X0RC0,  -1) 

y 

m165 

0  =  ORC-2,  -1)  ->  0  =  AND (-1 ,  -1) 

1  =  0RC0,  -2) 

y 
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Ml66 

0  =  0R(-2,  -1)  ->  0  =  QR(-1,  -1) 

1  =  0R(0 ,  -2) 

y 

Mi67 

0  =  0R(-2,  -1)  ->  0  =  N0R(-2,  -1) 

1  =  NORCO,  0) 

y 

Miqs 

0  =  0R(-2,  -1)  ->  0  =  NORC-2,  -1) 

1  =  NANDCO,  0) 

y 

Mieg 

0  =  0R(-2,  -1)  ->  0  =  XORC-2,  -1) 

1  =  0R(0 ,  -1) 

y 

Ml  70 

0  =  0R(-2,  -1)  ->  0  =  XORC-2,  -1) 

1  =  0RC0,  -2) 

y 

Mm 

0  =  ORC-2,  -1)  ->  0  =  ORC-2,  -1) 

1  =  0RC0,  -1) 

y 

Mi  72 

0  =  ORC-2,  -1)  ->  0  =  ORC-2,  -1) 

1  =  0RC0,  -2) 

y 

M 1 73 

0  =  ORC-2,  -1)  ->  0  =  ORC-2,  -1) 

1  =  AND  CO,  0) 

y 

Mi  74 

0  =  ORC-2,  -1)  -+  0  =  ORC-2,  -1) 

1  =  0RC0,  0) 

y 

Myj§ 

0  =  ORC-2,  -1)  ->  0  =  AND (-2 ,  -2) 

1  =  0RC0,  -1) 

y 

Mne 

0  =  ORC-2,  -1)  ->  0  =  ORC-2,  -2) 

1  =  0RC0,  -1) 

y 
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